Merge branch 'master' of https://github.com/blightzero/zeek

* 'master' of https://github.com/blightzero/zeek: Changed behavior of var-extraction-uri.zeek from policy/protocol/http to extract only the URI parameter names. Do not include the path in the first parameter name. Only extract uri vars if parameters actually exist.
2025-10-02 06:38:20 +00:00 · 2025-08-18 13:09:41 +02:00 · 2025-08-18 13:09:41 +02:00 · 2c9015d247
commit 2c9015d247
parent e04f725523 fafc0212a5
8 changed files with 22 additions and 4 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+8.1.0-dev.78 | 2025-08-18 13:13:21 +0200
+
+  * Changed behavior of var-extraction-uri.zeek from policy/protocol/http to extract only the URI parameter names. Do not include the path in the first parameter name. Only extract uri vars if parameters actually exist. (Benjamin Grap)
+
 8.1.0-dev.76 | 2025-08-18 09:40:05 +0200

  * Report PostgreSQL login success only after ReadyForQuery (Fupeng Zhao)
--- a/3
+++ b/3
@ -50,6 +50,9 @@ New Functionality
 Changed Functionality
 ---------------------

+- The var-extraction-uri.zeek policy does not include the path in the ``uri_vars``
+  field anymore.
+
 Removed Functionality
 ---------------------

--- a/2
+++ b/2
@ -1 +1 @@
-8.1.0-dev.76
+8.1.0-dev.78
--- a/scripts/policy/protocols/http/var-extraction-uri.zeek
+++ b/scripts/policy/protocols/http/var-extraction-uri.zeek
@ -13,5 +13,9 @@ redef record Info += {
 event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=2
 	{
-	c$http$uri_vars = extract_keys(original_URI, /&/);
+	local param_parts = split_string1(original_URI, /\?/);
+	if ( |param_parts| > 1 )
+		{
+		c$http$uri_vars = extract_keys(param_parts[1], /&/);
+		}
 	}
--- a/testing/btest/Baseline/scripts.policy.protocols.http.var-extraction-uri/http-reduced.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.http.var-extraction-uri/http-reduced.log
@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+/response-headers?Content-Type=application/octet-stream; charset=UTF-8&Content-Disposition=attachment; filename="test.json"	Content-Type,Content-Disposition
--- a/testing/btest/scripts/policy/protocols/http/var-extraction-uri.zeek
+++ b/testing/btest/scripts/policy/protocols/http/var-extraction-uri.zeek
@ -0,0 +1,5 @@
+# @TEST-EXEC: zeek -r ${TRACES}/http/http-filename.pcap %INPUT
+# @TEST-EXEC: zeek-cut uri uri_vars <http.log > http-reduced.log
+# @TEST-EXEC: btest-diff http-reduced.log
+
+@load policy/protocols/http/var-extraction-uri
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@ -1 +1 @@
-6dafc6fd68d9821f33b7f8f4d7d4d877b5827ae3
+31094f4840d0abc8fdf7f810e281851bd057931b
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-1edbd3ae959471e8573c9edc0374235727970710
+2b90a083a2b35a2a3c1d71ff92318c7a11263cd6