Change HTTP's DPD signatures so that each side can trigger the analyzer on its own.

This is to avoid missing large sessions where a single side exceeds the DPD buffer size. It comes with the trade-off that now the analyzer can be triggered by anybody controlling one of the endpoints (instead of both). Test suite changes are minor, and nothing in "external". Closes #343.
2025-10-02 14:48:21 +00:00 · 2020-09-08 07:33:36 +00:00 · 2020-09-08 07:33:36 +00:00 · 0af57d12b2
commit 0af57d12b2
parent a00b712e39
6 changed files with 32 additions and 6 deletions
--- a/testing/btest/scripts/base/protocols/http/http-dpd-large-req.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-dpd-large-req.zeek
@ -0,0 +1,13 @@
+# @TEST-EXEC: zeek -C -b -r $TRACES/http/http_large_req_8001.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# 
+# @TEST-DOC: Tests our DPD signatures with a session where one side exceeds the DPD buffer size.
+
+@load base/protocols/conn
+@load base/protocols/http
+@load base/frameworks/dpd
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+	{
+	print "http_request", version, method, original_URI;
+	}