Special case HTTP 0.9 early on

Mostly, treat HTTP0.9 completely separate. Because we're doing raw
delivery of a body directly, fake enough (connection_close=1, and finish
headers manually) so that the MIME infrastructure thinks it is seeing a
body.

This deals better with the body due to accounting for the first line. Also
it avoids the content line analyzer to strip CRLF/LF and the analyzer
then adding CRLF unconditionally by fully bypassing the content line
analyzer.

Concretely, the vlan-mpls test case contains a HTTP response with LF only,
but the previous implementation would use CRLF, accounting for two many bytes.
Same for the http.no-version test which would previously report a body
length of 280 and now is at 323 (which agrees with wireshark).

Further, the mime_type detection for the http-09 test case works because
it's now seeing the full body.

Drawback: We don't extract headers when a server actually replies with
a HTTP/1.1 message, but grrr, something needs to give I guess.

src/analyzer/protocol/http/HTTP.cc

@@ -37,6 +37,7 @@ enum HTTP_ExpectReply
 	EXPECT_REPLY_MESSAGE,
 	EXPECT_REPLY_TRAILER,
 	EXPECT_REPLY_NOTHING,
+	EXPECT_REPLY_HTTP09,
 	};
 
 HTTP_Entity::HTTP_Entity(HTTP_Message* arg_message, analyzer::mime::MIME_Entity* parent_entity,
@@ -898,6 +899,37 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	const char* line = reinterpret_cast<const char*>(data);
 	const char* end_of_line = line + len;
 
+	// HTTP 0.9 is just raw data directly from the server, special case.
+	if ( reply_state == EXPECT_REPLY_HTTP09 && ! is_orig )
+		{
+		if ( ! reply_message )
+			{
+			SetVersion(&reply_version, {0, 9});
+
+			if ( ! unanswered_requests.empty() )
+				{
+				AnalyzerConfirmation();
+				unanswered_requests.pop();
+				}
+
+			// Expect the server to close the connection after replying. This is used within
+			// HTTP_Message() below to switch the message into plain delivery mode (and
+			// the content_line_analyzer, but that's not used anymore).
+			connection_close = 1;
+			reply_ongoing = 1;
+
+			HTTP_Reply();
+			InitHTTPMessage(content_line_resp, reply_message, is_orig, ExpectReplyMessageBody(), 0);
+
+			// Finish header processing right way and switch into plain delivery.
+			// Need trailing_CRLF set to avoid a weird.
+			reply_message->Deliver(0, "", true);
+			}
+
+		reply_message->Deliver(len, line, false);
+		return;
+		}
+
 	analyzer::tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig
 	                                                            : content_line_resp;
 
@@ -947,6 +979,14 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 					unanswered_requests.push(request_method);
 					HTTP_Request();
 					InitHTTPMessage(content_line, request_message, is_orig, HTTP_BODY_MAYBE, len);
+
+					// For HTTP/0.9, turn off the content_line analyzer for the
+					// responder because we expect raw data.
+					if ( request_version == HTTP_VersionNumber{0, 9} )
+						{
+						reply_state = EXPECT_REPLY_HTTP09;
+						RemoveSupportAnalyzer(content_line_resp);
+						}
 					}
 
 				else
@@ -1048,6 +1088,8 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 				break;
 
+			case EXPECT_REPLY_HTTP09:
+				// unreachable
 			case EXPECT_REPLY_TRAILER:
 			case EXPECT_REPLY_NOTHING:
 				break;
@@ -1229,7 +1271,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	// If we determined HTTP/0.9 (no HTTP/ in the request line), assert that
 	// minimally we have an URI and a 3 character method (HTTP 0.9 only
 	// supports GET). If that doesn't hold, probably not HTTP or very stange.
-	if ( request_version.major == 0 && request_version.minor == 9 )
+	if ( request_version == HTTP_VersionNumber{0, 9} )
 		{
 		bool maybe_get_method = (end_of_method - line) >= 3;
 		bool has_uri = request_URI && request_URI->Len() > 0;

src/telemetry/telemetry.bif

@@ -78,6 +78,7 @@ bool is_valid(zeek::Span<const zeek::telemetry::LabelView> labels,
 		{
 		return std::find(keys.begin(), keys.end(), x.first) != keys.end();
 		};
+
 	return labels.size() == label_names.size()
 	       && std::all_of(labels.begin(), labels.end(), key_in_label_names);
 	}

testing/btest/Baseline/core.print-bpf-filters/conn.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	http	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.vlan-mpls/conn.log

@@ -9,5 +9,5 @@
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	-	0	SADF	11	470	0	0	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	-	0	ShADdFaf	12	730	10	9945	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.20.80.1	50343	10.0.0.15	80	tcp	http	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.vlan-mpls/http.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	-	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	FYH9ib1vyzc2Ub6Rg	-	text/html
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.20.80.1	50343	10.0.0.15	80	1	GET	-	/	-	0.9	-	-	0	3429	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FUJ4zD4d30B62GHEJe	-	text/html
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.frameworks.dpd.max_violations/http.log

@@ -13,7 +13,7 @@ XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	128.2.6.136	46564	173.194.75.103	80	1	-	-	-
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	128.2.6.136	46565	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F9dgu92yX4m0pznJVh	-	text/html
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	-	0	43911	200	OK	-	-	(empty)	-	-	-	-	-	-	FlYnY41dh1lfca0Oo4	-	text/html
 XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	-	0	43983	200	OK	-	-	(empty)	-	-	-	-	-	-	FXZ0rI33nlTX0OLWj	-	text/html
-XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	1.0	-	-	0	1207	403	Forbidden	-	-	(empty)	-	-	-	-	-	-	F5MVj11Zn2uU55Er2i	-	text/html
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1349	0	<empty>	-	-	(empty)	-	-	-	-	-	-	F5MVj11Zn2uU55Er2i	-	text/plain
 XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	128.2.6.136	46569	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fv4CUw2OVTa5d90Fh5	-	text/html
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	128.2.6.136	46570	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FpKdCS1VswPP57cOE9	-	text/html
 XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	-	0	43913	200	OK	-	-	(empty)	-	-	-	-	-	-	FKce9H2mSI6H6yHKzg	-	text/html
@@ -23,37 +23,37 @@ XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	128.2.6.136	46574	173.194.75.103	80	1	-	-	-
 XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	128.2.6.136	46575	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FGHZXz1oh7AvmEq9i4	-	text/html
 XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	128.2.6.136	46576	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fgqofp246KRqF7D9sc	-	text/html
 XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	-	0	963	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FsrHvh4vRpg5AYSB8	-	text/html
-XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FTq0Uy1Ug7VB8q6CY7	-	text/html
+XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FTq0Uy1Ug7VB8q6CY7	-	text/plain
 XXXXXXXXXX.XXXXXX	CykQaM33ztNt0csB9a	128.2.6.136	46579	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FukPcH2neOquJJLf8g	-	text/html
 XXXXXXXXXX.XXXXXX	CtxTCR2Yer0FR1tIBg	128.2.6.136	46580	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FOo9cxBIsa3iJ5qN4	-	text/html
 XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	-	0	963	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FnYYzruLUTCbaQpR9	-	text/html
 XXXXXXXXXX.XXXXXX	C1Xkzz2MaGtLrc1Tla	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FG8LG51VfiVSWb3jJ4	-	text/html
-XXXXXXXXXX.XXXXXX	CqlVyW1YwZ15RhTBc4	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FmY2JP1uFMzpih2T5k	-	text/html
+XXXXXXXXXX.XXXXXX	CqlVyW1YwZ15RhTBc4	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FmY2JP1uFMzpih2T5k	-	text/plain
 XXXXXXXXXX.XXXXXX	CLNN1k2QMum1aexUK7	128.2.6.136	46584	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Ft6x4f1gLwufsDMk3b	-	text/html
 XXXXXXXXXX.XXXXXX	CBA8792iHmnhPLksKa	128.2.6.136	46585	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FcrCgs1l6XUe3m3G3	-	text/html
 XXXXXXXXXX.XXXXXX	CGLPPc35OzDQij1XX8	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FV6ptz2ZZc1KZ85CW9	-	text/html
 XXXXXXXXXX.XXXXXX	CiyBAq1bBLNaTiTAc	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	-	0	960	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	F3kZmH1qEoqQDbCvv3	-	text/html
-XXXXXXXXXX.XXXXXX	CFSwNi4CNGxcuffo49	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FnzjhN1kiTIpTAXpZc	-	text/html
+XXXXXXXXXX.XXXXXX	CFSwNi4CNGxcuffo49	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FnzjhN1kiTIpTAXpZc	-	text/plain
 XXXXXXXXXX.XXXXXX	Cipfzj1BEnhejw8cGf	128.2.6.136	46589	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F0fcfg2UiGETutfuO3	-	text/html
 XXXXXXXXXX.XXXXXX	CV5WJ42jPYbNW9JNWf	128.2.6.136	46590	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Frwjhm4pAuj96jhxg3	-	text/html
 XXXXXXXXXX.XXXXXX	CPhDKt12KQPUVbQz06	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	-	0	960	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FDs4QT2vxiz0jaRSD3	-	text/html
 XXXXXXXXXX.XXXXXX	CAnFrb2Cvxr5T7quOc	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	-	0	961	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FgwVMf4DhoPAR4Oxn6	-	text/html
-XXXXXXXXXX.XXXXXX	C8rquZ3DjgNW06JGLl	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FhEHRYDqJ3q9Pu9w9	-	text/html
+XXXXXXXXXX.XXXXXX	C8rquZ3DjgNW06JGLl	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FhEHRYDqJ3q9Pu9w9	-	text/plain
 XXXXXXXXXX.XXXXXX	CzrZOtXqhwwndQva3	128.2.6.136	46594	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F0ckug3XAVKLrstJ	-	text/html
 XXXXXXXXXX.XXXXXX	CaGCc13FffXe6RkQl9	128.2.6.136	46595	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FQi9JS2Ea13Q3hvJpl	-	text/html
 XXXXXXXXXX.XXXXXX	CNdne23ox8SQTgPoy3	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	-	0	961	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FSPT252QEvoM8wm9Ub	-	text/html
 XXXXXXXXXX.XXXXXX	CeGt004UBsXLoZSeCg	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FIJCfY2WEfzINSweEh	-	text/html
-XXXXXXXXXX.XXXXXX	CTrywc2ra7tcWn2af	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FTrfNi1KZnG6fLB5K	-	text/html
+XXXXXXXXXX.XXXXXX	CTrywc2ra7tcWn2af	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1081	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FTrfNi1KZnG6fLB5K	-	text/plain
 XXXXXXXXXX.XXXXXX	CzmEfj4RValNyLfT58	128.2.6.136	46599	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FwbpdH2ugoStqqEn63	-	text/html
 XXXXXXXXXX.XXXXXX	CCk2V03QgWwIurU3f	128.2.6.136	46600	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fbekc63DN5cEfYAuP	-	text/html
 XXXXXXXXXX.XXXXXX	Cgc67J2CpHIVN7HAw4	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FWP5H743gMt6ziess1	-	text/html
 XXXXXXXXXX.XXXXXX	CgwPkWkJfuBIJsNi4	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FODewZ3keWe7Sf6mMl	-	text/html
-XXXXXXXXXX.XXXXXX	CImWJ03GsvPvA0P67i	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FAdPMc1c0vSfGK3Yk8	-	text/html
+XXXXXXXXXX.XXXXXX	CImWJ03GsvPvA0P67i	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1081	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FAdPMc1c0vSfGK3Yk8	-	text/plain
 XXXXXXXXXX.XXXXXX	CKJVAj1rNx0nolFFc4	128.2.6.136	46604	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F4g02SfNlTYyq1Cpj	-	text/html
 XXXXXXXXXX.XXXXXX	CD7vfu1qu4YJKe1nGi	128.2.6.136	46605	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FwyUaU3IrIxkmERs3	-	text/html
 XXXXXXXXXX.XXXXXX	CWhRtK3eXodviHmbo7	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	CqVUM4vyqCacqFiud	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	CudMuD3jKHCaCU5CE	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	1.0	-	-	0	0	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CudMuD3jKHCaCU5CE	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	0.9	-	-	0	143	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FrRsMs3OPLlkk8ztc6	-	text/plain
 XXXXXXXXXX.XXXXXX	CRJ9x54IaE7bkVEpad	128.2.6.136	46609	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FXonC02oI6E6ZT4pi4	-	text/html
 XXXXXXXXXX.XXXXXX	CAvUKGaEgLlR4i6t2	128.2.6.136	46610	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F8h50j2nZJ3Oloni53	-	text/html
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.http.http-09/http.log

@@ -7,6 +7,8 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	42960	127.0.0.1	80	1	GET	-	/zeek.html	-	-	-	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	42960	127.0.0.1	80	1	GET	-	/zeek.html	-	0.9	-	-	0	51	0	<empty>	-	-	(empty)	-	-	-	-	-	-	F9io3P2BHcd8Gf17a4	-	text/html
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	42964	127.0.0.1	80	1	POST	-	/zeek.html	-	-	-	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	42960	127.0.0.1	80	2	-	-	-	-	-	-	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	42964	127.0.0.1	80	1	POST	-	/zeek.html	-	0.9	-	-	0	11	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FI8sW83mGRiat332Cc	-	text/plain
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	42964	127.0.0.1	80	2	-	-	-	-	-	-	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log

@@ -13,7 +13,7 @@ XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	128.2.6.136	46564	173.194.75.103	80	1	-	-	-
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	128.2.6.136	46565	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F9dgu92yX4m0pznJVh	-	text/html
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	-	0	43911	200	OK	-	-	(empty)	-	-	-	-	-	-	FlYnY41dh1lfca0Oo4	-	text/html
 XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	-	0	43983	200	OK	-	-	(empty)	-	-	-	-	-	-	FXZ0rI33nlTX0OLWj	-	text/html
-XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	1.0	-	-	0	1207	403	Forbidden	-	-	(empty)	-	-	-	-	-	-	F5MVj11Zn2uU55Er2i	-	text/html
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1349	0	<empty>	-	-	(empty)	-	-	-	-	-	-	F5MVj11Zn2uU55Er2i	-	text/plain
 XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	128.2.6.136	46569	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fv4CUw2OVTa5d90Fh5	-	text/html
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	128.2.6.136	46570	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FpKdCS1VswPP57cOE9	-	text/html
 XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	-	0	43913	200	OK	-	-	(empty)	-	-	-	-	-	-	FKce9H2mSI6H6yHKzg	-	text/html
@@ -23,37 +23,37 @@ XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	128.2.6.136	46574	173.194.75.103	80	1	-	-	-
 XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	128.2.6.136	46575	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FGHZXz1oh7AvmEq9i4	-	text/html
 XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	128.2.6.136	46576	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fgqofp246KRqF7D9sc	-	text/html
 XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	-	0	963	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FsrHvh4vRpg5AYSB8	-	text/html
-XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FTq0Uy1Ug7VB8q6CY7	-	text/html
+XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FTq0Uy1Ug7VB8q6CY7	-	text/plain
 XXXXXXXXXX.XXXXXX	CykQaM33ztNt0csB9a	128.2.6.136	46579	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FukPcH2neOquJJLf8g	-	text/html
 XXXXXXXXXX.XXXXXX	CtxTCR2Yer0FR1tIBg	128.2.6.136	46580	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FOo9cxBIsa3iJ5qN4	-	text/html
 XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	-	0	963	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FnYYzruLUTCbaQpR9	-	text/html
 XXXXXXXXXX.XXXXXX	C1Xkzz2MaGtLrc1Tla	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FG8LG51VfiVSWb3jJ4	-	text/html
-XXXXXXXXXX.XXXXXX	CqlVyW1YwZ15RhTBc4	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FmY2JP1uFMzpih2T5k	-	text/html
+XXXXXXXXXX.XXXXXX	CqlVyW1YwZ15RhTBc4	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FmY2JP1uFMzpih2T5k	-	text/plain
 XXXXXXXXXX.XXXXXX	CLNN1k2QMum1aexUK7	128.2.6.136	46584	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Ft6x4f1gLwufsDMk3b	-	text/html
 XXXXXXXXXX.XXXXXX	CBA8792iHmnhPLksKa	128.2.6.136	46585	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FcrCgs1l6XUe3m3G3	-	text/html
 XXXXXXXXXX.XXXXXX	CGLPPc35OzDQij1XX8	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FV6ptz2ZZc1KZ85CW9	-	text/html
 XXXXXXXXXX.XXXXXX	CiyBAq1bBLNaTiTAc	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	-	0	960	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	F3kZmH1qEoqQDbCvv3	-	text/html
-XXXXXXXXXX.XXXXXX	CFSwNi4CNGxcuffo49	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FnzjhN1kiTIpTAXpZc	-	text/html
+XXXXXXXXXX.XXXXXX	CFSwNi4CNGxcuffo49	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FnzjhN1kiTIpTAXpZc	-	text/plain
 XXXXXXXXXX.XXXXXX	Cipfzj1BEnhejw8cGf	128.2.6.136	46589	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F0fcfg2UiGETutfuO3	-	text/html
 XXXXXXXXXX.XXXXXX	CV5WJ42jPYbNW9JNWf	128.2.6.136	46590	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Frwjhm4pAuj96jhxg3	-	text/html
 XXXXXXXXXX.XXXXXX	CPhDKt12KQPUVbQz06	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	-	0	960	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FDs4QT2vxiz0jaRSD3	-	text/html
 XXXXXXXXXX.XXXXXX	CAnFrb2Cvxr5T7quOc	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	-	0	961	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FgwVMf4DhoPAR4Oxn6	-	text/html
-XXXXXXXXXX.XXXXXX	C8rquZ3DjgNW06JGLl	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FhEHRYDqJ3q9Pu9w9	-	text/html
+XXXXXXXXXX.XXXXXX	C8rquZ3DjgNW06JGLl	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1068	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FhEHRYDqJ3q9Pu9w9	-	text/plain
 XXXXXXXXXX.XXXXXX	CzrZOtXqhwwndQva3	128.2.6.136	46594	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F0ckug3XAVKLrstJ	-	text/html
 XXXXXXXXXX.XXXXXX	CaGCc13FffXe6RkQl9	128.2.6.136	46595	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FQi9JS2Ea13Q3hvJpl	-	text/html
 XXXXXXXXXX.XXXXXX	CNdne23ox8SQTgPoy3	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	-	0	961	405	Method Not Allowed	-	-	(empty)	-	-	-	-	-	-	FSPT252QEvoM8wm9Ub	-	text/html
 XXXXXXXXXX.XXXXXX	CeGt004UBsXLoZSeCg	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FIJCfY2WEfzINSweEh	-	text/html
-XXXXXXXXXX.XXXXXX	CTrywc2ra7tcWn2af	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FTrfNi1KZnG6fLB5K	-	text/html
+XXXXXXXXXX.XXXXXX	CTrywc2ra7tcWn2af	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1081	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FTrfNi1KZnG6fLB5K	-	text/plain
 XXXXXXXXXX.XXXXXX	CzmEfj4RValNyLfT58	128.2.6.136	46599	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FwbpdH2ugoStqqEn63	-	text/html
 XXXXXXXXXX.XXXXXX	CCk2V03QgWwIurU3f	128.2.6.136	46600	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fbekc63DN5cEfYAuP	-	text/html
 XXXXXXXXXX.XXXXXX	Cgc67J2CpHIVN7HAw4	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FWP5H743gMt6ziess1	-	text/html
 XXXXXXXXXX.XXXXXX	CgwPkWkJfuBIJsNi4	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FODewZ3keWe7Sf6mMl	-	text/html
-XXXXXXXXXX.XXXXXX	CImWJ03GsvPvA0P67i	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	1.0	-	-	0	934	411	Length Required	-	-	(empty)	-	-	-	-	-	-	FAdPMc1c0vSfGK3Yk8	-	text/html
+XXXXXXXXXX.XXXXXX	CImWJ03GsvPvA0P67i	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	0.9	-	-	0	1081	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FAdPMc1c0vSfGK3Yk8	-	text/plain
 XXXXXXXXXX.XXXXXX	CKJVAj1rNx0nolFFc4	128.2.6.136	46604	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F4g02SfNlTYyq1Cpj	-	text/html
 XXXXXXXXXX.XXXXXX	CD7vfu1qu4YJKe1nGi	128.2.6.136	46605	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FwyUaU3IrIxkmERs3	-	text/html
 XXXXXXXXXX.XXXXXX	CWhRtK3eXodviHmbo7	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	CqVUM4vyqCacqFiud	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	CudMuD3jKHCaCU5CE	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	1.0	-	-	0	0	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CudMuD3jKHCaCU5CE	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	0.9	-	-	0	143	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FrRsMs3OPLlkk8ztc6	-	text/plain
 XXXXXXXXXX.XXXXXX	CRJ9x54IaE7bkVEpad	128.2.6.136	46609	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FXonC02oI6E6ZT4pi4	-	text/html
 XXXXXXXXXX.XXXXXX	CAvUKGaEgLlR4i6t2	128.2.6.136	46610	173.194.75.103	80	1	-	-	-	-	1.0	-	-	0	925	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	F8h50j2nZJ3Oloni53	-	text/html
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log

@@ -7,5 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	131.243.1.23	1035	131.243.1.10	80	1	GET	-	/cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t	-	-	-	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	131.243.1.23	1035	131.243.1.10	80	1	GET	-	/cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t	-	0.9	-	-	0	323	0	<empty>	-	-	(empty)	-	-	-	-	-	-	FKWfMA1PSzh7CAB0Qj	-	text/html
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	131.243.1.23	1035	131.243.1.10	80	2	-	-	-	-	-	-	-	0	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/core/vlan-mpls.zeek

@@ -1,5 +1,6 @@
 # @TEST-EXEC: zeek -b -C -r $TRACES/mixed-vlan-mpls.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
 
 @load base/protocols/conn
 @load base/protocols/http

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-b78a6881733079ef5e17c4dea95a8a2566f8b3b8
+3c4e707f5d18531ec8a82dc14daa48bd19bfb676