/**
** Set an HTTPINSPECT_CONF to mimic apache configuration.
**
** This sets a server configuration to imitate an apache web server,
** and should reduce false positives against systems on which certain
** attacks or evasions do not work. We hope to still log an event,
** but one that is less priority.
**
** @param ServerConf pointer to structure HTTPINSPECT_CONF
**
** @return integer
**
** @retval HI_SUCCESS function successful
** @retval HI_MEM_ALLOC_FAIL memory allocation failed
*/
int hi_ui_config_set_profile_apache(HTTPINSPECT_CONF *ServerConf)
{
/*
** Reset the structure so we can assume zeros.
*/
hi_ui_config_reset_server(ServerConf);
ServerConf->flow_depth = 300;
ServerConf->non_strict = 1;
ServerConf->chunk_length = 500000;
ServerConf->ascii.on = 1;
ServerConf->multiple_slash.on = 1;
ServerConf->directory.on = 1;
ServerConf->webroot.on = 1;
ServerConf->webroot.alert = 1;
ServerConf->apache_whitespace.on = 1;
ServerConf->utf_8.on = 1;
ServerConf->whitespace[9] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* horizontal tab */
ServerConf->whitespace[11] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* vertical tab */
ServerConf->whitespace[12] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* form feed */
ServerConf->whitespace[13] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* carriage return */
return HI_SUCCESS;
}
/**
** Set an HTTPINSPECT_CONF to catch all attacks and evasions.
**
** This basically turns on all the tricks and most of the
** alerts, so you won't miss anything that HttpInspect does.
**
** @param ServerConf pointer to structure HTTPINSPECT_CONF
**
** @return integer
**
** @retval HI_SUCCESS function successful
** @retval HI_MEM_ALLOC_FAIL memory allocation failed
*/
int hi_ui_config_set_profile_all(HTTPINSPECT_CONF *ServerConf,
int *iis_unicode_map)
{
if(iis_unicode_map == NULL)
{
return HI_INVALID_ARG;
}
/*
** Reset the structure so we can assume zeros.
*/
hi_ui_config_reset_server(ServerConf);
ServerConf->server_flow_depth = 300;
ServerConf->client_flow_depth = 300;
ServerConf->chunk_length = 500000;
ServerConf->iis_unicode_map = iis_unicode_map;
ServerConf->ascii.on = 1;
ServerConf->multiple_slash.on = 1;
ServerConf->directory.on = 1;
ServerConf->webroot.on = 1;
ServerConf->webroot.alert = 1;
ServerConf->double_decoding.on = 1;
ServerConf->double_decoding.alert = 1;
ServerConf->u_encoding.on = 1;
ServerConf->u_encoding.alert = 1;
ServerConf->bare_byte.on = 1;
ServerConf->bare_byte.alert = 1;
ServerConf->iis_unicode.on = 1;
ServerConf->iis_unicode.alert = 1;
ServerConf->iis_backslash.on = 1;
ServerConf->iis_delimiter.on = 1;
ServerConf->apache_whitespace.on = 1;
ServerConf->non_strict = 1;
ServerConf->whitespace[9] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* horizontal tab */
ServerConf->whitespace[11] = HI_UI_CONFIG_WS_BEFORE_URI; /* vertical tab */
ServerConf->whitespace[12] = HI_UI_CONFIG_WS_BEFORE_URI; /* form feed */
ServerConf->whitespace[13] = HI_UI_CONFIG_WS_BEFORE_URI; /* carriage return */
ServerConf->max_hdr_len = HI_UI_CONFIG_MAX_HDR_DEFAULT;
ServerConf->max_headers = HI_UI_CONFIG_MAX_HEADERS_DEFAULT;
return HI_SUCCESS;
}
/**
** Set an HTTPINSPECT_CONF to mimic apache configuration.
**
** This sets a server configuration to imitate an apache web server,
** and should reduce false positives against systems on which certain
** attacks or evasions do not work. We hope to still log an event,
** but one that is less priority.
**
** @param ServerConf pointer to structure HTTPINSPECT_CONF
**
** @return integer
**
** @retval HI_SUCCESS function successful
** @retval HI_MEM_ALLOC_FAIL memory allocation failed
*/
int hi_ui_config_set_profile_apache(HTTPINSPECT_CONF *ServerConf)
{
/*
** Reset the structure so we can assume zeros.
*/
hi_ui_config_reset_server(ServerConf);
ServerConf->server_flow_depth = 300;
ServerConf->client_flow_depth = 300;
ServerConf->post_depth = -1;
ServerConf->non_strict = 1;
ServerConf->chunk_length = 500000;
ServerConf->ascii.on = 1;
ServerConf->multiple_slash.on = 1;
ServerConf->directory.on = 1;
ServerConf->webroot.on = 1;
ServerConf->webroot.alert = 1;
ServerConf->apache_whitespace.on = 1;
ServerConf->utf_8.on = 1;
ServerConf->normalize_utf = 1;
ServerConf->normalize_javascript = 0;
ServerConf->whitespace[9] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* horizontal tab */
ServerConf->whitespace[11] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* vertical tab */
ServerConf->whitespace[12] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* form feed */
ServerConf->whitespace[13] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* carriage return */
ServerConf->max_hdr_len = HI_UI_CONFIG_MAX_HDR_DEFAULT;
ServerConf->max_headers = HI_UI_CONFIG_MAX_HEADERS_DEFAULT;
ServerConf->max_spaces = HI_UI_CONFIG_MAX_SPACES_DEFAULT;
ServerConf->max_js_ws = HI_UI_CONFIG_MAX_SPACES_DEFAULT;
return HI_SUCCESS;
}
