diff --git a/CHANGES b/CHANGES index ab1d593d4d..226df765af 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +8.1.0-dev.78 | 2025-08-18 13:13:21 +0200 + + * Changed behavior of var-extraction-uri.zeek from policy/protocol/http to extract only the URI parameter names. Do not include the path in the first parameter name. Only extract uri vars if parameters actually exist. (Benjamin Grap) + 8.1.0-dev.76 | 2025-08-18 09:40:05 +0200 * Report PostgreSQL login success only after ReadyForQuery (Fupeng Zhao) diff --git a/NEWS b/NEWS index 7116f65555..1be6c81111 100644 --- a/NEWS +++ b/NEWS @@ -50,6 +50,9 @@ New Functionality Changed Functionality --------------------- +- The var-extraction-uri.zeek policy does not include the path in the ``uri_vars`` + field anymore. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index 1bb074ccb2..7ed290e198 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.1.0-dev.76 +8.1.0-dev.78 diff --git a/scripts/policy/protocols/http/var-extraction-uri.zeek b/scripts/policy/protocols/http/var-extraction-uri.zeek index 776c659530..36054648d0 100644 --- a/scripts/policy/protocols/http/var-extraction-uri.zeek +++ b/scripts/policy/protocols/http/var-extraction-uri.zeek @@ -13,5 +13,9 @@ redef record Info += { event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &priority=2 { - c$http$uri_vars = extract_keys(original_URI, /&/); + local param_parts = split_string1(original_URI, /\?/); + if ( |param_parts| > 1 ) + { + c$http$uri_vars = extract_keys(param_parts[1], /&/); + } } diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.var-extraction-uri/http-reduced.log b/testing/btest/Baseline/scripts.policy.protocols.http.var-extraction-uri/http-reduced.log new file mode 100644 index 0000000000..8535152fac --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.http.var-extraction-uri/http-reduced.log @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +/response-headers?Content-Type=application/octet-stream; charset=UTF-8&Content-Disposition=attachment; filename="test.json" Content-Type,Content-Disposition diff --git a/testing/btest/scripts/policy/protocols/http/var-extraction-uri.zeek b/testing/btest/scripts/policy/protocols/http/var-extraction-uri.zeek new file mode 100644 index 0000000000..5ae01c44ea --- /dev/null +++ b/testing/btest/scripts/policy/protocols/http/var-extraction-uri.zeek @@ -0,0 +1,5 @@ +# @TEST-EXEC: zeek -r ${TRACES}/http/http-filename.pcap %INPUT +# @TEST-EXEC: zeek-cut uri uri_vars http-reduced.log +# @TEST-EXEC: btest-diff http-reduced.log + +@load policy/protocols/http/var-extraction-uri diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 4d12c67ff0..f88d37e597 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -6dafc6fd68d9821f33b7f8f4d7d4d877b5827ae3 +31094f4840d0abc8fdf7f810e281851bd057931b diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index f01f56f57a..0c6db43a2e 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -1edbd3ae959471e8573c9edc0374235727970710 +2b90a083a2b35a2a3c1d71ff92318c7a11263cd6