Adapting the HTTP request line parsing to only accept methods

consisting of letters [A-Za-z]. I had some bogus HTTP sessions now with the test-suite that reported data as HTTP because it started with "<!... ". Requiring letters seems a reasonable constraint.
2025-10-08 01:28:20 +00:00 · 2012-12-05 16:44:04 -08:00 · 2012-12-05 16:44:04 -08:00 · 57510464a1
commit 57510464a1
parent c8d264f105
6 changed files with 77 additions and 43 deletions
--- a/5
+++ b/5
@ -1,4 +1,9 @@
 2.1-209 | 2012-12-05 16:44:04 -0800
  * Adapting the HTTP request line parsing to only accept methods
    consisting of letters [A-Za-z]. (Robin Sommer)
 2.1-207 | 2012-12-05 15:47:32 -0800
  * Reporting warnings if kill/waitpid fail in communication system.
--- a/2
+++ b/2
@ -1 +1 @@
-2.1-207
+2.1-209
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -95,7 +95,9 @@ export {
 		"PROXY-CONNECTION",
 	} &redef;
-	## A list of HTTP methods. Other methods will generate a weird.
+	## A list of HTTP methods. Other methods will generate a weird. Note
        ## that the HTTP analyzer will only accept methods consisting solely
        ## of letters ``[A-Za-z]``.
 	const http_methods: set[string] = {
 		"GET", "POST", "HEAD", "OPTIONS",
 		"PUT", "DELETE", "TRACE", "CONNECT",
--- a/src/HTTP.cc
+++ b/src/HTTP.cc
@ -1119,21 +1119,29 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
 int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	{
 	const char* request_method_str = 0;
 	const char* end_of_request = 0;
 	const char* rest = 0;
 	int request_method_len = 0;
 	get_word(end_of_line - line, line, request_method_len, request_method_str);
-	const char* end_of_request = request_method_str + request_method_len;
+	if ( request_method_len == 0 )
-	const char* rest = skip_whitespace(end_of_request, end_of_line);
+		goto error;
-	if ( request_method_len == 0 || rest == end_of_request )
+	end_of_request = request_method_str + request_method_len;
 	for ( const char* p = request_method_str; p < end_of_request; p++ )
 		{
-		// End of line already reached. Most likely a DPD failure -
+		// The method must consist of only letters.
-		// this is pretty noisy for me, so leaving commented for now
+		if ( (*p < 'a' || *p > 'z') && (*p < 'A' || *p > 'Z') )
-		reporter->Weird(Conn(), "bad_HTTP_request");
+			goto error;
 		return 0;
 		}
 	rest = skip_whitespace(end_of_request, end_of_line);
 	if ( rest == end_of_request )
 		// End of line already reached. Most likely a DPD failure.
 		goto error;
 	request_method = new StringVal(request_method_len, request_method_str);
 	if ( ! ParseRequest(rest, end_of_line) )
@ -1144,6 +1152,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 			unescaped_URI->AsString()->Len(), true, true, true, true);
 	return 1;
 error:
 	reporter->Weird(Conn(), "bad_HTTP_request");
 	return 0;
 	}
 int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2012-12-05-23-27-37
+#open	2012-12-06-00-55-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
 1354328870.191989	UWkUyAuUGXf	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	-	0	962	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
@ -13,46 +13,46 @@
 1354328874.364020	j4u32Pc5bif	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43911	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328878.470424	TEfuqmmG4bh	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43983	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328882.575456	FrJExwHcSal	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	-	0	1207	403	Forbidden	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328882.908690	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	1	GET/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.928027	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328882.968948	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328882.990373	VW0XPVINV8a	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43913	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328887.094494	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	1	\xc3\x83\xc3\x82\xc3\x83	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328887.114613	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	0	-	-	-	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328891.141058	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	1	\xc3\x83\xc3\x82\xc3\x83	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.161077	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328891.183942	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	1	\xc3\x83\xc3\x82\xc3\x83/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.204740	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328891.245592	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328891.267625	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	1	\xc3\x83\xc3\x82\xc3\x83/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.287655	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328891.309065	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.328583	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	0	-	-	-	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328895.355012	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.375116	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328895.396634	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	1	CCM_POST/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.416133	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328895.459490	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328895.480865	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.500315	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	0	-	-	-	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328899.526682	EAr0uf4mhq	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328903.572533	GvmoxJFXdTa	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328903.614145	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	1	CONNECT/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.634196	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328903.676395	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328903.697693	UfGkYA2HI2g	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328907.743696	i2rO3KD1Syg	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328911.790590	2cx26uAvUPl	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328911.832856	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	1	TRACE/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.853464	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328911.897044	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328911.918511	zno26fFZkrh	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328915.964678	v5rgkJBig5l	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328920.010458	eWZCH7OONC1	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328920.052085	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	1	DELETE/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.072101	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328920.114526	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328920.136714	yC2d6kVg709	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.183211	VcgagLjnO92	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.224567	bdRoHfaPBo3	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328924.266693	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	1	PUT/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.287402	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.328257	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.350343	xNYSS2hJkle	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.391728	vMVjlplKKbd	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.433150	3omNawSNrxj	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
-1354328924.476011	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	1	POST/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.496732	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.537671	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328924.559704	E490YZTUozc	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-
 1354328928.625437	YIeWJmXWNWj	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-
 1354328932.692706	ydiZblvsYri	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	-	0	0	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	-
-1354328932.734579	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	1	HEAD/	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328932.754657	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
 1354328932.796568	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
-#close	2012-12-05-23-27-37
+#close	2012-12-06-00-55-28
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
@ -3,44 +3,59 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2012-12-05-23-27-37
+#open	2012-12-06-00-55-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1354328874.278822	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328874.299063	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328874.321792	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328874.342591	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328882.908690	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	unknown_HTTP_method	GET/	F	bro
+1354328882.908690	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328882.928027	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328882.949510	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328882.968948	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328887.094494	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	unknown_HTTP_method	\xc3\x83\xc3\x82\xc3\x83	F	bro
+1354328887.094494	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.141058	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	unknown_HTTP_method	\xc3\x83\xc3\x82\xc3\x83	F	bro
+1354328887.114613	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328891.183942	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	unknown_HTTP_method	\xc3\x83\xc3\x82\xc3\x83/	F	bro
+1354328891.141058	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.161077	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328891.183942	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.204740	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328891.226199	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.245592	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328891.267625	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	unknown_HTTP_method	\xc3\x83\xc3\x82\xc3\x83/	F	bro
+1354328891.267625	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.309065	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328891.287655	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328895.355012	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328891.309065	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328895.396634	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	unknown_HTTP_method	CCM_POST/	F	bro
+1354328891.328583	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328895.355012	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328895.375116	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328895.396634	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328895.416133	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328895.438812	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328895.459490	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328895.480865	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328895.480865	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328903.614145	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	unknown_HTTP_method	CONNECT/	F	bro
+1354328895.500315	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328903.614145	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328903.634196	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328903.656369	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328903.676395	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328911.832856	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	unknown_HTTP_method	TRACE/	F	bro
+1354328911.832856	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328911.853464	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328911.876341	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328911.897044	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328920.052085	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	unknown_HTTP_method	DELETE/	F	bro
+1354328920.052085	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328920.072101	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328920.094072	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328920.114526	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328924.266693	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	unknown_HTTP_method	PUT/	F	bro
+1354328924.266693	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.287402	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328924.308714	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.328257	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328924.476011	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	unknown_HTTP_method	POST/	F	bro
+1354328924.476011	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.496732	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328924.518204	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.537671	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-1354328932.734579	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	unknown_HTTP_method	HEAD/	F	bro
+1354328932.734579	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.754657	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
 1354328932.776609	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.796568	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
-#close	2012-12-05-23-27-37
+#close	2012-12-06-00-55-28