From 51836d08aec78b7925c0a34ba25fdbcb5f225144 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 5 Dec 2024 17:57:27 +0100 Subject: [PATCH 1/2] protocol: Add StreamEvent analyzer This analyzer can be used to transport raw stream data for a given connection to the script layer. For example, adding this analyzer into the HTTP::upgrade_analyzer or using it to configure a child WebSocket analyzer allows to get access to the raw stream data in script land when no more appropriate protocol analyzer is available. --- NEWS | 14 ++++++++ src/analyzer/protocol/CMakeLists.txt | 1 + .../protocol/stream_event/CMakeLists.txt | 8 +++++ src/analyzer/protocol/stream_event/Plugin.cc | 23 +++++++++++++ src/analyzer/protocol/stream_event/README | 9 +++++ .../protocol/stream_event/StreamEvent.cc | 27 +++++++++++++++ .../protocol/stream_event/StreamEvent.h | 19 +++++++++++ src/analyzer/protocol/stream_event/events.bif | 33 +++++++++++++++++++ .../core.analyzer-stream-event-disable/out | 5 +++ .../Baseline/core.analyzer-stream-event/out | 6 ++++ .../canonified_loaded_scripts.log | 1 + .../canonified_loaded_scripts.log | 1 + testing/btest/Baseline/plugins.hooks/output | 6 ++++ .../scripts.base.files.x509.files/files.log | 12 +++---- .../core/analyzer-stream-event-disable.zeek | 30 +++++++++++++++++ testing/btest/core/analyzer-stream-event.zeek | 12 +++++++ 16 files changed, 201 insertions(+), 6 deletions(-) create mode 100644 src/analyzer/protocol/stream_event/CMakeLists.txt create mode 100644 src/analyzer/protocol/stream_event/Plugin.cc create mode 100644 src/analyzer/protocol/stream_event/README create mode 100644 src/analyzer/protocol/stream_event/StreamEvent.cc create mode 100644 src/analyzer/protocol/stream_event/StreamEvent.h create mode 100644 src/analyzer/protocol/stream_event/events.bif create mode 100644 testing/btest/Baseline/core.analyzer-stream-event-disable/out create mode 100644 testing/btest/Baseline/core.analyzer-stream-event/out create mode 100644 testing/btest/core/analyzer-stream-event-disable.zeek create mode 100644 testing/btest/core/analyzer-stream-event.zeek diff --git a/NEWS b/NEWS index fa36d249f1..550657d6ef 100644 --- a/NEWS +++ b/NEWS @@ -86,6 +86,20 @@ New Functionality redef LogSQLite::journal_mode=LogSQLite::SQLITE_JOURNAL_MODE_WAL; +* A pseudo protocol analyzer StreamEvent has been added. Attaching this analyzer + to TCP connections allows processing the connection's stream data in the + scripting layer. One example use-case is interactive terminal sessions over + HTTP connections upgraded to TCP. + + redef HTTP::upgrade_analyzers += { + ["tcp"] = Analyzer::ANALYZER_STREAM_EVENT, + }; + + event stream_deliver(c: connection, is_orig: bool, data: string); + + This comes with performance caveats: For use-cases with high-data rates + a native protocol analyzer with dedicated events will be far more efficient. + Changed Functionality --------------------- diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 654b1bab03..82cfb58b47 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -41,6 +41,7 @@ add_subdirectory(snmp) add_subdirectory(socks) add_subdirectory(ssh) add_subdirectory(ssl) +add_subdirectory(stream_event) add_subdirectory(syslog) add_subdirectory(tcp) add_subdirectory(websocket) diff --git a/src/analyzer/protocol/stream_event/CMakeLists.txt b/src/analyzer/protocol/stream_event/CMakeLists.txt new file mode 100644 index 0000000000..deae252f9d --- /dev/null +++ b/src/analyzer/protocol/stream_event/CMakeLists.txt @@ -0,0 +1,8 @@ +zeek_add_plugin( + Zeek + StreamEvent + SOURCES + StreamEvent.cc + Plugin.cc + BIFS + events.bif) diff --git a/src/analyzer/protocol/stream_event/Plugin.cc b/src/analyzer/protocol/stream_event/Plugin.cc new file mode 100644 index 0000000000..33d04a299a --- /dev/null +++ b/src/analyzer/protocol/stream_event/Plugin.cc @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/plugin/Plugin.h" + +#include "zeek/analyzer/Component.h" +#include "zeek/analyzer/protocol/stream_event/StreamEvent.h" + +namespace zeek::plugin::detail::Zeek_StreamEvent { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() override { + AddComponent(new zeek::analyzer::Component("STREAM_EVENT", + zeek::analyzer::stream_event::StreamEvent_Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::StreamEvent"; + config.description = "Delivers stream data as events"; + return config; + } +} plugin; + +} // namespace zeek::plugin::detail::Zeek_StreamEvent diff --git a/src/analyzer/protocol/stream_event/README b/src/analyzer/protocol/stream_event/README new file mode 100644 index 0000000000..2c4cae867e --- /dev/null +++ b/src/analyzer/protocol/stream_event/README @@ -0,0 +1,9 @@ +TCP application analyzer for handing raw stream data to script-land. + +This analyzer can be added as an upgrade analyzer, registered via the +well-known ports mechanism, or even DPD. It allows script-layer access +to the stream data when no more specific analyzer is available. + +This is similar to the tcp_contents event, but more flexible in that it +can be added to an existing connection, or disabled over the lifetime +of a connection. diff --git a/src/analyzer/protocol/stream_event/StreamEvent.cc b/src/analyzer/protocol/stream_event/StreamEvent.cc new file mode 100644 index 0000000000..94c569efc6 --- /dev/null +++ b/src/analyzer/protocol/stream_event/StreamEvent.cc @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/analyzer/protocol/stream_event/StreamEvent.h" + +#include "zeek/analyzer/protocol/stream_event/events.bif.h" + +namespace zeek::analyzer::stream_event { + +StreamEvent_Analyzer::StreamEvent_Analyzer(Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer("STREAM_EVENT", conn) {} + + +void StreamEvent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + + auto s = len > 0 ? zeek::make_intrusive(len, reinterpret_cast(data)) : + zeek::val_mgr->EmptyString(); + + BifEvent::enqueue_stream_deliver(this, Conn(), orig, std::move(s)); +} +void StreamEvent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + + BifEvent::enqueue_stream_undelivered(this, Conn(), orig, seq, len); +} + +} // namespace zeek::analyzer::stream_event diff --git a/src/analyzer/protocol/stream_event/StreamEvent.h b/src/analyzer/protocol/stream_event/StreamEvent.h new file mode 100644 index 0000000000..8ce3ddb64a --- /dev/null +++ b/src/analyzer/protocol/stream_event/StreamEvent.h @@ -0,0 +1,19 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "zeek/analyzer/protocol/tcp/TCP.h" + +namespace zeek::analyzer::stream_event { + +class StreamEvent_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { +public: + explicit StreamEvent_Analyzer(Connection* conn); + + void DeliverStream(int len, const u_char* data, bool orig) override; + void Undelivered(uint64_t seq, int len, bool orig) override; + + static analyzer::Analyzer* Instantiate(Connection* conn) { return new StreamEvent_Analyzer(conn); } +}; + +} // namespace zeek::analyzer::stream_event diff --git a/src/analyzer/protocol/stream_event/events.bif b/src/analyzer/protocol/stream_event/events.bif new file mode 100644 index 0000000000..8f4d505f84 --- /dev/null +++ b/src/analyzer/protocol/stream_event/events.bif @@ -0,0 +1,33 @@ +## Generated for each chunk of reassembled TCP payload. +## +## This is a low-level event to inspect stream data from the originator +## and responder endpoints. This can be useful for debugging purposes, or +## for logging of plain-text interactive sessions when no more appropriate +## analyzer is available. +## +## Note that this event is potentially expensive if connections that have +## the stream event analyzer attached carry significant amounts of data. +## Generally, a native protocol parser will have much less overhead than +## passing the complete stream data to the scripting layer. +## +## c: The connection. +## +## is_orig: T if stream data is from the originator-side, else F. +## +## data: The raw payload. +## +## .. zeek:see:: stream_undelivered tcp_contents +event stream_deliver%(c: connection, is_orig: bool, data: string%); + +## Generated when Zeek detects a gap in a reassembled TCP payload stream. +## +## c: The connection. +## +## is_orig: T if the gap is in the originator-side input, else F. +## +## seq: The sequence number of the first byte of the gap. +## +## len: The length of the gap. +## +## .. zeek:see:: stream_deliver content_gap +event stream_undelivered%(c: connection, is_orig: bool, seq: count, len: count%); diff --git a/testing/btest/Baseline/core.analyzer-stream-event-disable/out b/testing/btest/Baseline/core.analyzer-stream-event-disable/out new file mode 100644 index 0000000000..c3e44c0244 --- /dev/null +++ b/testing/btest/Baseline/core.analyzer-stream-event-disable/out @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, new_connection +CHhAvVGS1DHFjwGM9, T, 136, GET /download/CHANGES.bro-aux.tx +CHhAvVGS1DHFjwGM9, F, 1448, HTTP/1.1 200 OK\x0d\x0aDate: Thu, 07 M +CHhAvVGS1DHFjwGM9, connection_state_remove diff --git a/testing/btest/Baseline/core.analyzer-stream-event/out b/testing/btest/Baseline/core.analyzer-stream-event/out new file mode 100644 index 0000000000..7cd9f9d414 --- /dev/null +++ b/testing/btest/Baseline/core.analyzer-stream-event/out @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, T, 136, GET /download/CHANGES.bro-aux.tx +CHhAvVGS1DHFjwGM9, F, 1448, HTTP/1.1 200 OK\x0d\x0aDate: Thu, 07 M +CHhAvVGS1DHFjwGM9, F, 1448, rather than all. (Robin Somme +CHhAvVGS1DHFjwGM9, F, 1448, s/check-release to run before ma +CHhAvVGS1DHFjwGM9, F, 663, thread library when necessary ( diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index b64871a39f..5e88f9d327 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -249,6 +249,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek + build/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 99cb5d53a3..a3f06f9db9 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -249,6 +249,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek + build/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 9c4ee0795b..48ce2af63b 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -441,6 +441,7 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1 @@ -744,6 +745,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, ) @@ -1379,6 +1381,7 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) @@ -1682,6 +1685,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) @@ -2316,6 +2320,7 @@ 0.000000 | HookLoadFile ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek +0.000000 | HookLoadFile ./Zeek_StreamEvent.events.bif.zeek <...>/Zeek_StreamEvent.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek @@ -2619,6 +2624,7 @@ 0.000000 | HookLoadFileExtended ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_StreamEvent.events.bif.zeek <...>/Zeek_StreamEvent.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek diff --git a/testing/btest/Baseline/scripts.base.files.x509.files/files.log b/testing/btest/Baseline/scripts.base.files.x509.files/files.log index e64dfc52c0..ce19924fa1 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.files/files.log +++ b/testing/btest/Baseline/scripts.base.files.x509.files/files.log @@ -7,10 +7,10 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string -XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 -XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d -XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 -XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 -XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d -XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 +XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 +XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d +XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 +XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 +XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d +XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/core/analyzer-stream-event-disable.zeek b/testing/btest/core/analyzer-stream-event-disable.zeek new file mode 100644 index 0000000000..a44b86ec8d --- /dev/null +++ b/testing/btest/core/analyzer-stream-event-disable.zeek @@ -0,0 +1,30 @@ +# @TEST-DOC: Show-case disable_analyzer() for ANALYZER_STREAM_EVENT after receiving a few events. +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: btest-diff out + +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_STREAM_EVENT, 80/tcp); + } + + +event new_connection(c: connection) + { + print c$uid, "new_connection"; + } + +global deliveries = 0; + +event stream_deliver(c: connection, is_orig: bool, data: string) + { + ++deliveries; + print c$uid, is_orig, |data|, data[:32]; + + if ( deliveries == 2 ) + disable_analyzer(c$id, current_analyzer()); + } + +event connection_state_remove(c: connection) + { + print c$uid, "connection_state_remove"; + } diff --git a/testing/btest/core/analyzer-stream-event.zeek b/testing/btest/core/analyzer-stream-event.zeek new file mode 100644 index 0000000000..4bf00bbc12 --- /dev/null +++ b/testing/btest/core/analyzer-stream-event.zeek @@ -0,0 +1,12 @@ +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: btest-diff out + +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_STREAM_EVENT, 80/tcp); + } + +event stream_deliver(c: connection, is_orig: bool, data: string) + { + print c$uid, is_orig, |data|, data[:32]; + } From 079ae460a72057c1e26a4239e52878e2cc4d2b2f Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 5 Dec 2024 18:50:19 +0100 Subject: [PATCH 2/2] btest/http: Demo StreamEvent analyzer with HTTP::upgrade_analyzers Relates to #4068 --- .../http.log.cut | 8 +++ .../out | 27 +++++++++ testing/btest/Traces/README | 3 + .../Traces/http/docker-http-upgrade.pcap | Bin 0 -> 21221 bytes .../base/protocols/http/upgrade-to-tcp.zeek | 52 ++++++++++++++++++ 5 files changed, 90 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/http.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/out create mode 100644 testing/btest/Traces/http/docker-http-upgrade.pcap create mode 100644 testing/btest/scripts/base/protocols/http/upgrade-to-tcp.zeek diff --git a/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/http.log.cut b/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/http.log.cut new file mode 100644 index 0000000000..430546f483 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/http.log.cut @@ -0,0 +1,8 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid status_code method uri +CHhAvVGS1DHFjwGM9 200 HEAD /_ping +CHhAvVGS1DHFjwGM9 201 POST /v1.41/containers/create +C4J4Th3PJpwUYZZ6gc 204 POST /v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/start +C4J4Th3PJpwUYZZ6gc 200 POST /v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/resize?h=69&w=134 +CHhAvVGS1DHFjwGM9 200 POST /v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/wait?condition=next-exit +ClEkJM2Vm5giqnMf4h 101 POST /v1.41/containers/cc4fc8e49cadbb8bc41437dc2f9979a72293eabc3f0ea5ce48b77f43cb1f1d5e/attach?stderr=1&stdin=1&stdout=1&stream=1 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/out b/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/out new file mode 100644 index 0000000000..5d6a506556 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.upgrade-to-tcp/out @@ -0,0 +1,27 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ClEkJM2Vm5giqnMf4h, Connection upgraded to tcp +ClEkJM2Vm5giqnMf4h, responder, / # +ClEkJM2Vm5giqnMf4h, originator, ls +ClEkJM2Vm5giqnMf4h, responder, / # \x1b[Jls +ClEkJM2Vm5giqnMf4h, responder, \x1b[1;34mbin\x1b[m \x1b[1;34mdev\x1b[m \x1b[1;34metc\x1b[m \x1b[1;34mhome\x1b[m \x1b[1;34mlib\x1b[m \x1b[1;36mlib64\x1b[m \x1b[1;34mproc\x1b[m \x1b[1;34mroot\x1b[m \x1b[1;34msys\x1b[m \x1b[1;34mtmp\x1b[m \x1b[1;34musr\x1b[m \x1b[1;34mvar\x1b[m +ClEkJM2Vm5giqnMf4h, originator, cd /home +ClEkJM2Vm5giqnMf4h, responder, / # cd /home +ClEkJM2Vm5giqnMf4h, originator, ls -a +ClEkJM2Vm5giqnMf4h, responder, /home # ls -a +ClEkJM2Vm5giqnMf4h, responder, \x1b[1;34m.\x1b[m \x1b[1;34m..\x1b[m +ClEkJM2Vm5giqnMf4h, originator, cd +ClEkJM2Vm5giqnMf4h, responder, /home # cd +ClEkJM2Vm5giqnMf4h, originator, ls -a +ClEkJM2Vm5giqnMf4h, responder, ~ # ls -a +ClEkJM2Vm5giqnMf4h, responder, \x1b[1;34m.\x1b[m \x1b[1;34m..\x1b[m \x1b[0;0m.ash_history\x1b[m +ClEkJM2Vm5giqnMf4h, responder, ~ # cat .as +ClEkJM2Vm5giqnMf4h, originator, cat .as\x09 +ClEkJM2Vm5giqnMf4h, responder, ~ # cat .ash_history \x1b[J +ClEkJM2Vm5giqnMf4h, responder, ls +ClEkJM2Vm5giqnMf4h, responder, cd /home +ClEkJM2Vm5giqnMf4h, responder, ls -a +ClEkJM2Vm5giqnMf4h, responder, cd +ClEkJM2Vm5giqnMf4h, responder, ls -a +ClEkJM2Vm5giqnMf4h, responder, cat .ash_history +ClEkJM2Vm5giqnMf4h, originator, exit +ClEkJM2Vm5giqnMf4h, responder, ~ # exit diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 401a906349..53b0ea4c12 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -35,3 +35,6 @@ Trace Index/Sources: - http/cooper-grill-dvwa.pcapng Provided by cooper-grill on #3995 https://github.com/zeek/zeek/pull/3995 +- http/docker-http-upgrade.pcap + Provided by blightzero on #4068 + https://github.com/zeek/zeek/issues/4068 diff --git a/testing/btest/Traces/http/docker-http-upgrade.pcap b/testing/btest/Traces/http/docker-http-upgrade.pcap new file mode 100644 index 0000000000000000000000000000000000000000..475161af69fc7ba866f0625b767f543e258cdc1b GIT binary patch literal 21221 zcmd6v33ycHxyL6MLJ~MEiWZCLI3XyvWMzOPfDp1kN+4+hgc?LAXC}!BXJ*1IVQ;Vn zwN=^ooucfUvM2~h0b@Z1LBUe&r6QL_K%^?0h~D@8&YYR^esehYxzDZb<>}bW$;@y5 z|Mz{r{Y;MUe{*>wQ?x1kFWM9ZPrm(GepR2WIMXlTXMB_lGPV3}82q={)emD$c_vej z=qbHTy<_%H+Pive6gvgGoQ?kL0y@hJCw8UPwvYkew)HvbYA zS__1B4Fuq>8h~I}$06}gPsN$ap(gO56hJsxQ3LAJkeGK=m)IuiZrvA30Du?+i5jPx zHm9einv41i@!7Rf(h!HoE4f_|f@CX%BgZCIJCbtTE}zFOXPI5@BoVK4!k@f8w+DW5 z`n|p+kE6~eOLm*j0q=oVLsXIq9j+>0b(T3bd}+{_T1S@I=NRovsg-S#tGijOwt2h` zUr)cUGATod55_fbbgjc9Ie}t>Pp!1cUf>paeeCTl%0hgx$5!REg*6HBr4CP>!=olA zB|SAc4gS|HoR?hCmt`L02i56a%>&(aU_ISxPRq!$W@M$On)?nIq$aOvFT?7c&T8%V zT&=Bf@JWz$#A*Z50kV_+|_QM7L6^0+^+b9E0Ofn!PK_O}TXvL6 zW8sbET{AnSb+$rqb8NNQ_E2cxS+2)j8+uQb$L+6md4pE4R9qmv9Nq^%6xCv}g`bx? zY#y;%`E}lCpT~y54TZBWqBI{>P%DP9IqZWJ?S+zSMCe^bZfB_o-CVZ42JAx&C42Z? z#o!n+Q{@2t!B7b9|zi8?wne`a$PZ646nm{ zV&m&0kC5DD4ymdd6HK1xI_e~BBN%V?GUWn#=~D|l?s^$Gap?U5-%wC=uXluh11gK5 z+jm1aK?pqimEY~NsZW3+`(R9;p2Apy;-zhSHQd%bq)KY&*mUAVq ztpeM#S~8N|TPQgtCH#YB{4uBvgsUx&xd7`TOB{SgK~b=QD)G}^>0@)*M@e=cv;`Dn z^Nw)Xi*3H@kO@o(R-@)3wCrHN0o_BWJF(=s?5r#EhA*id3Un6*#n}VYUj+L$ZR5$7 zC7U-K&;d3P+8YQ%!qe#@u z>C((O9-Iu=^(S`0Nt!YviyXZF7Zb66&a?~ah|C%@U^a+Tg#zdeETU+w6f+#wOwneq zsK}@gt!dWI-Rxp|WoBl#Ok20~^vuoA!`}e_n8h?Yhdl6v#44-8?UQNpEoF(R!I+2 zp$FTm| zy(*X-Pbsjsq_aXCbsdt{jh*H(FKcFm%PU*W*AQF#e0dqg(-#h`bGpx?V2 zaka%pU-qM>(PM#p^h}4Zra&6+sH+P|p&5!}4ibNyBA7No3F3qAMoi0Hk1*nNU1FQ4 zJ9Rxn-3TLwx{F{RyqYucin~zwM<{*JcceJWVhqLrvo&qOQ%+vyk}if)J5ynM`>^zV@Uz5&P9$ zp}L+6VSe^cVUs7kfEBC#E|^QH zdjxxC7!4qaE3w3u%Apebd0gK~3ALA?f$9w)bMd;`&9|FL$p7;I^7H4;txE&?Wt{

xOWvfgIo0VtqjG}RkgKnUj}G5vZI(-Y8Y@e$E-A5L7$T5foU zUQ5Iwa+}(672;3Ta$&&;dq%ygdv?w2Fsdi)8vQ$4F@`MlT~i16OS^(gCazSTq%`)?hqqo;$aG9M=T9Bk>jx zEwcp^?Ci4#-vmuvxJnSn$Zk>eH+BrVS_uE$tFzvBYh9|AfR zrfzpsq!^gBUyycYFysdd$+*QwvY)QXsgS2a8p)lRh`kLWt8*F|`7U5YJjqfHG!@?p zk@$Wm3yEGtj_*g1yl*q}%@16K;CmYNJ^MXDdMAq^|5VV(Am8#YbyZFS-vg-ccY26{ z+3%sqvPCgQzWX!c5zelTDmo&%Lb+m@$w?`(C#8BN=Ary2eQFW4P*^n$}D(hJpYr$f0Ce2XkqXkXFQ2^YFr z*`?qsYCY~CBzVCCoA`v`9plw9tWKY^mR|6CJ@i7I4KFCsesGgvvF3NVA1}DM*I51YP7?XxH;z`+QYCY#Oy^-8o$YjV zp1%Xc1=&$X&7p`959tzN2BP*=g0%0?;QYLZ$hv%j*2KWl2_yNnU{alREI@f|2eVl^V$Um!@{_mj-` zKRDlygYP-i_o}}MQlOY2TVHHyROdr=Rn7t5c&CzP5gjNI1FQaqB6oh>+{pK@8F4S? zTOktPM;=C^8<7`o5hU-sBlCTY^KAj&bE)suuM5(VhZ*wRZKKTt`DtC1bHR54^?jtR z7+C%K4ife7K;>c-c`G^I$oI31xRdj(5Q*=j zFfy)LEHK~JcvB%vW$_U)QGCkPiTVC7&UYgCUch{xQYVV*1`E>BgF<`?&iG&ggY1@F zg81Zc`01A-=;5e*f)(w^sIaDM_KJiH` z09UvGq(A@`(!_6sba^zvM zxaK=J2P1N)rC%vT;`_uBB$^Q!e~ch`-zm(u_BK%*$kV|0V(NQyM?pHVgdrOMX)tlC z)K$3{u(-*u8PHBF6$6_)n%d-7O{K}K#R*1y+ zsUb+TA#(LDg5>kfZsIM|ZuVimJA?0~)c4jif^=#KL%MexE>LQ8RW1drmHIvf%k`~i zP~_+BNGHVm9>ItkIo}GA`2O@Z5(PviB*Yr+Q?OfS%Fc87wu0|v%y(#?V*6x4`t-IC zkIa+6G$?dgSLQM>&K-YzdPfXwpNzz@$+4#4F!bOfV)!X`vDq3w9w|K@@eW&hd%bF7)Hj) zBC~-@AV#Kymc*w&KxAG*VuLZ!#fa;5h)?Sg?*rn@HLs$33{ET_KDoD&1P zTu78!8g2rPWW?2+Z-q#FpUpv{9g(|R6D04uEAxF8klNK?Ir#n~^}YLuAf3%&$U6@j z?)G?eRsIot52L=%=8A#cM^I#WKeFDSBCYi-Ir--_BJrTI3%jX6Gc1XLcQ3+`-999a zDj-B!LDuLwsFD9(jNb9*x#4*HiNuEolVuhqc9Ffz^-3-`iffXab2fA>AhOHQ=0+V~ zHZJ-)- zr#@ZtD?sgVn(}iMkfbX}{N9-8XT;aJa3Zlnj~ETa%Lhrv#uZV+OX&PZ?Tt=wRNwoB1D>UYvOv;xYQNWc+XRv3#ai628ksf8_h$a=OS_M??Oc7RK7{% zsr*F|%Myu042g*wm_}!asAyardGdrrMdM#7k&9zJ>oM}R>nwKHKxAXw_a#*2aMbv{ zA+h22EHl$UquK{yX2$7c28b6Bc9aK}3DTw34EcoBa64g?uFBT{E7BUj^pF@huna}+ zjwQW0?|U>OF6VqJMB@80oLnAQ=0#+m<^;+6&SJj*&iNL>_v_U6dy53=aw~?kwlEwZ z#^|bi9emrV@5`{A@ZKU6`Lh?vUM}x@EF&)Ed@Dri`vwxth@9~ zki736%=dqC`F4QsRn+(Ue-WfF`!i(2pA1Kb3A!p*f$vJ{`^y1h;QhbEfXGX+(MG!` zzhT6MoNt9ld|$0Yq79L!n-e7OyC?JgH_mq@_+CwYA8aH@SL+z^7cHZWM#Xwvm8-#b z74>~}v=}(p2t{^$mn?nxI-kgh;aldEeoY|~-`A3nC?K-i{&=HF##7AqDb9Bl_+G<& zhgMgIb_mk7WFa1zF$au>G5L92nQOqfM2%ld5d(*IAn}#s@uuIyJQ^Pn>z#3~UQFdI zPNk%(toxZdZ8@|XRHmrwso=>fo&&Rg>h<8VOT7$-#Hrm=oyj(D^|RFyetUHcTZo~s zPe7Q#e5yAShW8(JYc;5cf0#V$T-j+>o!uNsNg1B=Q=!Lg9puU~6JJg2p`}BCkF`kbE1= zX2HZSDQJVa6@s~zw!zP~3W!DI?$(A!k#M&k+&{>xTnmxhMts-A{6Y+TwiSt|O@?jo z1xCcXxU{|%BJthCi9{PB`!^;?-gh77`!AgDZQy$y^?l}+P}9W8kd0ytD+ulk1K+&L zb>MqD_1(lR2F~0Sw1L^C2E z`!9mzedjXYC%AmS1->^>-)9dCHF3Qe@(dsiR$wpds@wp+-=@Cf`iKF*f=FQ`IWOgX zzru*Ga=sNJ@!b@T+ z_})Z)U+5^*G+V-u6-`?h<$J2G%1z*VC-vQInHadxu{nrLJw(n8`Fu}f#PA<3P<$&y z;#*jWL@y#&93@EJH{7HM-&Vq#6t(%@3BET|-xt$`8et_vKJ<~{QRH-8m7Br$JJh$Z zS`1uFN0E1qkozHc-!mBTMXt^jBJtgP0}|s9DV}IzDu?;V`)cfj`> z%=Z`SY~_ngp{Dr;0cQp92NKNM2?*Y+iXS!c6T@3CX6mYc1LAR<#-sTrG4MrZ3m`V^ zC!G@?k6DZu{$_wu2MUqIqg5Od1w`IF6lFBWEMW2Ykc-E0h{u~O9-%qr<=H|_t2iMZ znTJ0x?C@sm%6t=ye?pD7YAOaU&qm^ozebt-kTHBjWUa~tH*G?-;$li$t)HkW>+Vyt zc6mOiY$|(&c+qZVTkAr+>@_FB4x9*I0aAbD6ROzCIAv&yZA=ag|G^$5`e5ru9A^t| z*1tR-ZG8+xgBfanW{W$RxDlt?3eQlPtrl2|NR9c_P$%1|8XDfI3hNZ~bhZLw{&q46 z;_Gf6OX%}lJ4ELK6p3a&*|t48cOY{84ua(SpF(CG?~l}E^o9V|x6uCQ`X-^KZF`1X zy3=r8HD6cd7Esxo`fi&j2Ci>Hkwb@&1vl?|0VCFPz7-H(bLn)K$3^e7B&!AAuWHZY;VVM9!4Sh8pjC z5hG6Ed@Dri`w9{zMCN-4lJ`AOx71sJ?`_og&C%fd3PW!68t&08)>XL;e7EF$Uljv4 zN2AEfW@M4W`(DC`<2c_6k@#*m4~afRCeWoA?;Gxhg`NxVhSlb~CHUS>ecwtDYTC_X z$lZW6m`^U%Rk;2nvmRsbZ$pv1*LT=z%&`By?@J{9CX;OXQDPT)8FM`*L{xe;#Wl%|Wd^zy5cxvS zIHR$znB@lV*wyBy73AhEmYdMncekBTW0@huBXbh`IWL3cEZ3F!79{5ZnjFhaF>tpX z5*rUC-5Qr17u;726?BkO`2bVdO8eEMyOp4FCK4we;!HsJ1M0;o6iq_ zR0aP;Q|bixDir%Z6n=EltY!v95zR)Xz2WgQ+!~(c%(%eJEhKKAZA6q;u<(r14Noi0 z-9R-7NMzw@HHQ%SGAq$-46UKeaFwe01{{Vb!G#)It|UY*g^8P3QH%&_)Skgnjb616 zXk|!@X5;bRi6NpkjuAv9j)y3bb6uZ_uJg|TQEduX6wktmS=>Yo5n^~3Tzk=V^Hsz( zM{I!AJ~XZ=8lrk)wibxmIEIKXQz93~Xg0p@4bMUp*KwfpIj(vjj(6{(##arAiJMtw RYC>^TGP4#=_QvZG{~JgjGc^DJ literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/http/upgrade-to-tcp.zeek b/testing/btest/scripts/base/protocols/http/upgrade-to-tcp.zeek new file mode 100644 index 0000000000..4a04bb17dd --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/upgrade-to-tcp.zeek @@ -0,0 +1,52 @@ +# @TEST-EXEC: zeek -b -C -r $TRACES/http/docker-http-upgrade.pcap %INPUT >out +# @TEST-EXEC: zeek-cut -m uid status_code method uri < http.log > http.log.cut +# @TEST-EXEC: btest-diff http.log.cut +# @TEST-EXEC: btest-diff out + +@load base/protocols/http + +# Forward "tcp" data as events via the stream event analyzer. +redef HTTP::upgrade_analyzers += { + ["tcp"] = Analyzer::ANALYZER_STREAM_EVENT, +}; + +event http_connection_upgrade(c: connection, protocol: string) + { + print c$uid, fmt("Connection upgraded to %s", protocol); + } + +redef record connection += { + orig_data: string &default=""; + resp_data: string &default=""; +}; + +function flush(c: connection) + { + # Don't copy this, it's not efficient. + local orig_parts = split_string(c$orig_data, /[\r\n]+/); + local resp_parts = split_string(c$resp_data, /[\r\n]+/); + local i = 0; + + while ( i + 1 < |orig_parts| ) { + print c$uid, "originator", orig_parts[i]; + ++i; + } + c$orig_data = orig_parts[-1]; + + i = 0; + while ( i + 1 < |resp_parts| ) { + print c$uid, "responder", resp_parts[i]; + ++i; + } + c$resp_data = resp_parts[-1]; + } + +event stream_deliver(c: connection, is_orig: bool, data: string) + { + if ( is_orig ) + c$orig_data += data; + else + c$resp_data += data; + + flush(c); + }