mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Merge remote-tracking branch 'origin/topic/jsiwek/http-1xx-replies'
* origin/topic/jsiwek/http-1xx-replies: Change logging of HTTP 1xx responses to occur in their own columns. Fix handling of HTTP 1xx response codes (addresses #411).
This commit is contained in:
Robin Sommer
commit
4d6a90ce89
12 changed files with 76 additions and 34 deletions
|
|
@ -48,6 +48,10 @@ export {
|
||||||
status_code: count &log &optional;
|
status_code: count &log &optional;
|
||||||
## The status message returned by the server.
|
## The status message returned by the server.
|
||||||
status_msg: string &log &optional;
|
status_msg: string &log &optional;
|
||||||
|
## The last 1xx informational reply code returned by the server.
|
||||||
|
info_code: count &log &optional;
|
||||||
|
## The last 1xx informational reply message returned by the server.
|
||||||
|
info_msg: string &log &optional;
|
||||||
## The filename given in the Content-Disposition header
|
## The filename given in the Content-Disposition header
|
||||||
## sent by the server.
|
## sent by the server.
|
||||||
filename: string &log &optional;
|
filename: string &log &optional;
|
||||||
|
|
@ -111,6 +115,11 @@ redef capture_filters += {
|
||||||
["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
|
["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
|
||||||
};
|
};
|
||||||
|
|
||||||
|
function code_in_range(c: count, min: count, max: count) : bool
|
||||||
|
{
|
||||||
|
return c >= min && c <= max;
|
||||||
|
}
|
||||||
|
|
||||||
function new_http_session(c: connection): Info
|
function new_http_session(c: connection): Info
|
||||||
{
|
{
|
||||||
local tmp: Info;
|
local tmp: Info;
|
||||||
|
|
@ -163,12 +172,21 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
|
||||||
local s: State;
|
local s: State;
|
||||||
c$http_state = s;
|
c$http_state = s;
|
||||||
}
|
}
|
||||||
|
|
||||||
++c$http_state$current_response;
|
# If the last response was an informational 1xx, we're still expecting
|
||||||
|
# the real response to the request, so don't create a new Info record yet.
|
||||||
|
if ( c$http_state$current_response !in c$http_state$pending ||
|
||||||
|
! code_in_range(c$http_state$pending[c$http_state$current_response]$status_code, 100, 199) )
|
||||||
|
++c$http_state$current_response;
|
||||||
set_state(c, F, F);
|
set_state(c, F, F);
|
||||||
|
|
||||||
c$http$status_code = code;
|
c$http$status_code = code;
|
||||||
c$http$status_msg = reason;
|
c$http$status_msg = reason;
|
||||||
|
if ( code_in_range(code, 100, 199) )
|
||||||
|
{
|
||||||
|
c$http$info_code = code;
|
||||||
|
c$http$info_msg = reason;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
|
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
|
||||||
|
|
@ -245,8 +263,13 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &
|
||||||
# The reply body is done so we're ready to log.
|
# The reply body is done so we're ready to log.
|
||||||
if ( ! is_orig )
|
if ( ! is_orig )
|
||||||
{
|
{
|
||||||
Log::write(HTTP::LOG, c$http);
|
# If the response was an informational 1xx, we're still expecting
|
||||||
delete c$http_state$pending[c$http_state$current_response];
|
# the real response later, so we'll continue using the same record.
|
||||||
|
if ( ! code_in_range(c$http$status_code, 100, 199) )
|
||||||
|
{
|
||||||
|
Log::write(HTTP::LOG, c$http);
|
||||||
|
delete c$http_state$pending[c$http_state$current_response];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1305,7 +1305,9 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
|
||||||
if ( reply_message )
|
if ( reply_message )
|
||||||
reply_message->Done(interrupted, msg);
|
reply_message->Done(interrupted, msg);
|
||||||
|
|
||||||
if ( ! unanswered_requests.empty() )
|
// 1xx replies do not indicate the final response to a request,
|
||||||
|
// so don't pop an unanswered request in that case.
|
||||||
|
if ( (reply_code < 100 || reply_code >= 200) && ! unanswered_requests.empty() )
|
||||||
{
|
{
|
||||||
Unref(unanswered_requests.front());
|
Unref(unanswered_requests.front());
|
||||||
unanswered_requests.pop();
|
unanswered_requests.pop();
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path http
|
#path http
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string string file
|
||||||
1316124231.969273 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - -
|
1317149787.593092 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - - - text/html - -
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path http
|
#path http
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string string file
|
||||||
1316124231.969273 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - -
|
1317149787.593092 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - - - text/html - -
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path http
|
#path http
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string string file
|
||||||
1316124240.720195 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - -
|
1317149750.648989 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - - - text/html - -
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path http
|
#path http
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string string file
|
||||||
1316124240.720195 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - text/html - -
|
1317149750.648989 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 0 F 9130 F 200 OK - - - - - - - text/html - -
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path http
|
#path http
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string string file
|
||||||
1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 F 346 F 404 Not Found - - - - - text/html - -
|
1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 F 346 F 404 Not Found - - - - - - - text/html - -
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
#separator \x09
|
||||||
|
#path http
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string string file
|
||||||
|
1237440095.634312 UWkUyAuUGXf 192.168.3.103 54102 128.146.216.51 80 POST www.osu.edu / - curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 F 60731 F 200 OK 100 Continue - - - - - text/html - -
|
||||||
|
|
@ -1,9 +1,9 @@
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path http
|
#path http
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port string string string string string count bool count bool count string string table string string table string string file
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string string file
|
||||||
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2675 F 200 OK - - - - - FAKE_MIME - -
|
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2675 F 200 OK - - - - - - - FAKE_MIME - -
|
||||||
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 21421 F 200 OK - - - - - FAKE_MIME - -
|
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 21421 F 200 OK - - - - - - - FAKE_MIME - -
|
||||||
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 94 F 200 OK - - - - - FAKE_MIME - -
|
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 94 F 200 OK - - - - - - - FAKE_MIME - -
|
||||||
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2349 F 200 OK - - - - - image/png e0029eea80812e9a8e57b8d05d52938a -
|
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2349 F 200 OK - - - - - - - image/png e0029eea80812e9a8e57b8d05d52938a -
|
||||||
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 27579 F 200 OK - - - - - image/png 30aa926344f58019d047e85ba049ca1e -
|
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 27579 F 200 OK - - - - - - - image/png 30aa926344f58019d047e85ba049ca1e -
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,9 @@
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path http
|
#path http
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg filename tags username password proxied md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_body_len request_body_interrupted response_body_len response_body_interrupted status_code status_msg info_code info_msg filename tags username password proxied md5 extraction_file
|
||||||
#types time string addr port addr port string string string string string count bool count bool count string string table string string table string file
|
#types time string addr port addr port string string string string string count bool count bool count string count string string table string string table string file
|
||||||
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2675 F 200 OK - - - - - - -
|
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2675 F 200 OK - - - - - - - - -
|
||||||
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 21421 F 200 OK - - - - - - -
|
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 21421 F 200 OK - - - - - - - - -
|
||||||
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 94 F 200 OK - - - - - - -
|
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 94 F 200 OK - - - - - - - - -
|
||||||
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2349 F 200 OK - - - - - - -
|
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 2349 F 200 OK - - - - - - - - -
|
||||||
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 27579 F 200 OK - - - - - - -
|
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 F 27579 F 200 OK - - - - - - - - -
|
||||||
|
|
|
||||||
BIN
testing/btest/Traces/http-100-continue.trace
Normal file
BIN
testing/btest/Traces/http-100-continue.trace
Normal file
Binary file not shown.
12
testing/btest/scripts/base/protocols/http/100-continue.bro
Normal file
12
testing/btest/scripts/base/protocols/http/100-continue.bro
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
# This tests that the HTTP analyzer does not generate an unmatched_HTTP_reply
|
||||||
|
# weird as a result of seeing both a 1xx response and the real response to
|
||||||
|
# a given request. The http scripts should also be able log such replies
|
||||||
|
# in a way that correlates the final response with the request.
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: bro -r $TRACES/http-100-continue.trace %INPUT
|
||||||
|
# @TEST-EXEC: grep -q unmatched_HTTP_reply weird.log && exit 1 || exit 0
|
||||||
|
# @TEST-EXEC: btest-diff http.log
|
||||||
|
|
||||||
|
# The base analysis scripts are loaded by default.
|
||||||
|
#@load base/protocols/http
|
||||||
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue