From 642ef5d3c1a4032a77a95314167682fdbbd6ca17 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 15 Jan 2016 12:45:19 -0800
Subject: [PATCH] Tweaking how HTTP requests without URIs are handled.

The change from #49 made it an error to not have a URI. That however
then led requests with an URI yet no version to abort as well.
Instead, we now check if the token following the method is an "HTTP/"
version identifier. If, so accept that the URI is empty (and trigger
a weird) but otherwise keep processing.

Adding test cases for both HTTP requests without URI and without
version.
---
 CHANGES                                       |   6 ++---
 VERSION                                       |   2 +-
 src/analyzer/protocol/http/HTTP.cc            |  10 ++++----
 .../http.log                                  |  13 +++++++++--
 .../weird.log                                 |  22 +++---------------
 .../http.log                                  |  10 ++++++++
 .../weird.log                                 |  10 ++++++++
 .../http.log                                  |  10 ++++++++
 testing/btest/Traces/http/no-uri.pcap         | Bin 0 -> 6336 bytes
 testing/btest/Traces/http/no-version.pcap     | Bin 0 -> 1268 bytes
 .../scripts/base/protocols/http/no-uri.bro    |   4 ++++
 .../base/protocols/http/no-version.bro        |   3 +++
 12 files changed, 60 insertions(+), 30 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log
 create mode 100644 testing/btest/Traces/http/no-uri.pcap
 create mode 100644 testing/btest/Traces/http/no-version.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/no-uri.bro
 create mode 100644 testing/btest/scripts/base/protocols/http/no-version.bro

diff --git a/CHANGES b/CHANGES
index 6202e2c47a..64ca3e1776 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,12 +1,12 @@
 
-2.4-236 | 2016-01-15 10:35:21 -0800
+2.4-238 | 2016-01-15 12:56:33 -0800
 
   * Add HTTP version information to HTTP log file. (Aaron Eppert)
 
   * Add NOTIFY as a valid SIP message, per RFC 3265. (Aaron Eppert)
 
-  * Let HTTP parser reject requests that don't have both URI and
-    version. (William Glodek)
+  * Improve HTTP parser's handling of requests that don't have a URI.
+    (William Glodek/Robin Sommer)
 
   * Fix crash when deleting non existing record member. Addresses
     BIT-1519. (Johanna Amann)
diff --git a/VERSION b/VERSION
index ac096732cd..1b16a39866 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4-236
+2.4-238
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index de930f730a..36c92ed6e6 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1249,11 +1249,11 @@ int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
 			break;
 		}
 
-    if ( end_of_uri >= end_of_line )
-        {
-            Weird("missing_HTTP_uri");
-            return 0;
-        }
+	if ( end_of_uri >= end_of_line && PrefixMatch(line, end_of_line, "HTTP/") )
+		{
+		Weird("missing_HTTP_uri");
+		end_of_uri = line; // Leave URI empty.
+		}
 
 	for ( version_start = end_of_uri; version_start < end_of_line; ++version_start )
 		{
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
index 8078cc471a..353348a40d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
@@ -3,14 +3,16 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-41-03
+#open	2016-01-15-20-54-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1354328870.191989	CXWv6p3arKYeMETxOg	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	1.1	-	0	962	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FKgccv1sOsIPuN3b73	text/html
+1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	1	OPTIONS	www.google.com	(empty)	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FWUdF12OgqGLhf3NPl	text/html
 1354328874.299063	CCvvfg3TEfuqmmG4bh	128.2.6.136	46564	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FrYoRN2EwpZyXbyvF8	text/html
 1354328874.342591	CsRx2w45OKnoww6xl4	128.2.6.136	46565	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FJPouz1lbXUsa4Ef1	text/html
 1354328874.364020	CRJuHdVW0XPVINV8a	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43911	200	OK	-	-	-	(empty)	-	-	-	-	-	FbONWS332vB7QP1sDi	text/html
 1354328878.470424	CPbrpk1qSsw6ESzHV4	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43983	200	OK	-	-	-	(empty)	-	-	-	-	-	Fw8xGD2taqNAOVvI88	text/html
+1354328882.575456	C6pKV8GSxOnSLghOa	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	1.0	-	0	1207	403	Forbidden	-	-	-	(empty)	-	-	-	-	-	FdEQPY3H4Z608y5yq1	text/html
 1354328882.928027	CIPOse170MGiRM1Qf4	128.2.6.136	46569	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FcNjaW3kDUju84cG3	text/html
 1354328882.968948	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fe8v8c49yLvORp3zva	text/html
 1354328882.990373	CJ3xTn1c4Zw9TmAE05	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	1.1	-	0	43913	200	OK	-	-	-	(empty)	-	-	-	-	-	FAbDo7c8yz5wducYb	text/html
@@ -20,30 +22,37 @@
 1354328891.245592	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FOOeqs4Vg0Zs3rcVYi	text/html
 1354328891.287655	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F2wfYn1yFdeOeHFYA8	text/html
 1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	F1d9bG11AdUoYIAPna	text/html
+1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F73Xpt400aDAjp1tOj	text/html
 1354328895.416133	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FANgwp2fEJblWfGtqk	text/html
 1354328895.459490	CyAhVIzHqb7t7kv28	128.2.6.136	46580	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FUelQv4zC3B2JEWwQ6	text/html
 1354328895.480865	Cab0vO1xNYSS2hJkle	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	1.1	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FodlEg40uUijFetJb9	text/html
 1354328899.526682	Cx2FqO23omNawSNrxj	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FgQlB81dSyLHN5T8Q4	text/html
+1354328903.572533	Cx3C534wEyF3OvvcQe	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FW2UCD2e0jxAndsTK3	text/html
 1354328903.634196	CkDsfG2YIeWJmXWNWj	128.2.6.136	46584	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FKANAL2sLvMgJdaEKa	text/html
 1354328903.676395	CUKS0W3HFYOnBqSE5e	128.2.6.136	46585	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNRuYy4eahAmiehFvd	text/html
 1354328903.697693	CRrfvP2lalMAYOCLhj	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	1.1	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FAVGIL2N6x9nLyfGHh	text/html
 1354328907.743696	Cn78a440HlxuyZKs6f	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FKbiICMAvCsO6CFjk	text/html
+1354328911.790590	CUof3F2yAIid8QS3dk	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FD5riIpYe5BLR0aok	text/html
 1354328911.853464	CojBOU3CXcLHl1r6x1	128.2.6.136	46589	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FUzHwP1gT2UJYnUpUi	text/html
 1354328911.897044	CJzVQRGJrX6V15ik7	128.2.6.136	46590	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FfLe59279TLFl2hHKc	text/html
 1354328911.918511	ClAbxY1nmdjCuo0Le2	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	1.1	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FQrvtP3qpKeKPxn5Gf	text/html
 1354328915.964678	CwG0BF1VXE0gWgs78	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	Fs5qiV3XoBOExKLdi4	text/html
+1354328920.010458	CisNaL1Cm73CiNOmcg	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FpkucFbcGcM4CNkZf	text/html
 1354328920.072101	CBQnJn22qN8TOeeZil	128.2.6.136	46594	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FBu6A04t7ZjbY0dCi8	text/html
 1354328920.114526	CbEsuD3dgDDngdlbKf	128.2.6.136	46595	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fk7Se84fbLvbZEfBCd	text/html
 1354328920.136714	Cktvtw2VqwbTG0OgWk	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	1.1	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FNb8ZY2Zvw0MpF1qU4	text/html
 1354328924.183211	CKfF8L3XSsgT2WYDN	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	Fo23U03XCMamm7QQWe	text/html
+1354328924.224567	CHrnr1115j0JRSXjG6	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FqyVeZqSV8Tz7hfT1	text/html
 1354328924.287402	Cnkr172qPtDAaK7Xd	128.2.6.136	46599	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Ft15j5I9xSpfcA7Fh	text/html
 1354328924.328257	CcxZj6188NwHGl3a16	128.2.6.136	46600	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FyF5ac1kxwCDvXZKz7	text/html
 1354328924.350343	CUqYZc2XzbfnZKbgT	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FuGiTK15gnR7f8Uti2	text/html
 1354328924.391728	CVdnYXVEtNT1lQVL6	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	F93zuy2MGUDDPwg0xl	text/html
+1354328924.433150	CbNmy32YFt3gdIjV8	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	1.0	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FRJvy31aqXlFemaBfc	text/html
 1354328924.496732	COTmF91mGWcb4zV7W5	128.2.6.136	46604	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fcnnrf1A8AgOFzLHM	text/html
 1354328924.537671	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FI3I73110YtFWCuaG3	text/html
 1354328924.559704	CZTTFm2GrMAs8leAyl	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
 1354328928.625437	CV23rC3tBHfPhMUPtf	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	1.1	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+1354328932.692706	CkaPGx2P0Y3W5aHVFk	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	1.0	-	0	0	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	-	-
 1354328932.754657	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FaVAsywxxOtGAzel8	text/html
 1354328932.796568	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	1	-	-	-	-	1.0	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FmzgEKnyfPnyZqmh	text/html
-#close	2016-01-15-18-41-03
+#close	2016-01-15-20-54-32
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
index 7411f969b6..e10847fe2d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
@@ -3,15 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-01-15-18-41-03
+#open	2016-01-15-20-54-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328874.278822	CCvvfg3TEfuqmmG4bh	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328874.321792	CsRx2w45OKnoww6xl4	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328882.575456	C6pKV8GSxOnSLghOa	128.2.6.136	46568	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328882.575456	C6pKV8GSxOnSLghOa	128.2.6.136	46568	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328882.908690	CIPOse170MGiRM1Qf4	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328882.949510	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328887.094494	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
@@ -20,33 +17,20 @@
 1354328891.226199	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
-1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.396634	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328895.438812	CyAhVIzHqb7t7kv28	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328895.480865	Cab0vO1xNYSS2hJkle	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
-1354328903.572533	Cx3C534wEyF3OvvcQe	128.2.6.136	46583	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328903.572533	Cx3C534wEyF3OvvcQe	128.2.6.136	46583	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328903.614145	CkDsfG2YIeWJmXWNWj	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328903.656369	CUKS0W3HFYOnBqSE5e	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328911.790590	CUof3F2yAIid8QS3dk	128.2.6.136	46588	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328911.790590	CUof3F2yAIid8QS3dk	128.2.6.136	46588	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328911.832856	CojBOU3CXcLHl1r6x1	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328911.876341	CJzVQRGJrX6V15ik7	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328920.010458	CisNaL1Cm73CiNOmcg	128.2.6.136	46593	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328920.010458	CisNaL1Cm73CiNOmcg	128.2.6.136	46593	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328920.052085	CBQnJn22qN8TOeeZil	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328920.094072	CbEsuD3dgDDngdlbKf	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328924.224567	CHrnr1115j0JRSXjG6	128.2.6.136	46598	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328924.224567	CHrnr1115j0JRSXjG6	128.2.6.136	46598	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.266693	Cnkr172qPtDAaK7Xd	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.308714	CcxZj6188NwHGl3a16	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328924.433150	CbNmy32YFt3gdIjV8	128.2.6.136	46603	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328924.433150	CbNmy32YFt3gdIjV8	128.2.6.136	46603	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.476011	COTmF91mGWcb4zV7W5	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328924.518204	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328932.692706	CkaPGx2P0Y3W5aHVFk	128.2.6.136	46608	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328932.692706	CkaPGx2P0Y3W5aHVFk	128.2.6.136	46608	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.734579	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.776609	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
-#close	2016-01-15-18-41-03
+#close	2016-01-15-20-54-32
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log
new file mode 100644
index 0000000000..bdcd4aae19
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-01-15-20-42-50
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1362692526.939527	CXWv6p3arKYeMETxOg	141.142.228.5	59856	192.150.187.43	80	1	GET	bro.org	(empty)	-	1.1	-	0	4705	200	OK	-	-	-	(empty)	-	-	-	-	-	FakNcS1Jfe01uljb3	text/plain
+#close	2016-01-15-20-42-50
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
new file mode 100644
index 0000000000..cd31c6030f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2016-01-15-20-42-50
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1362692526.939527	CXWv6p3arKYeMETxOg	141.142.228.5	59856	192.150.187.43	80	missing_HTTP_uri	-	F	bro
+#close	2016-01-15-20-42-50
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log b/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log
new file mode 100644
index 0000000000..a1ab36435b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-01-15-20-44-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1036020209.801685	CXWv6p3arKYeMETxOg	131.243.1.23	1035	131.243.1.10	80	1	GET	-	/cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t	-	-	-	0	0	-	-	-	-	-	(empty)	-	-	-	-	-	-	-
+#close	2016-01-15-20-44-15
diff --git a/testing/btest/Traces/http/no-uri.pcap b/testing/btest/Traces/http/no-uri.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..86c42097a147d7a6020a79a76da475fbf42f297b
GIT binary patch
literal 6336
zcma)AU2Ggz72dc>TNb&b2%$ceTel^S>)HSH&!lPV*l~VpC&pg4;)UjV=I-vTXJ>{x
zGhT0mR6l|UEfP=(UiwEQ9#Df2Z}g#3i&Q~L|KK44R4O4=MM9POfW!lY@7$SL@1Fya
zR$1Hko_p?hzVn@P?jPRx<x69k!<qEo&6}CbA^h;_=jOlm*TwP71$?JZ=IEck{r;zK
zz4q4g@4t9w=5!|W*oV(PmU-;<)(78v_HRdCfBx4Gee!N*?LYUGOj`Vlv70wfyq?L7
z9X|4_L$}>__|Ty{vtK^{7e;?OJQiDDsoj-1kDuui+l|lA)*r?Jnf&eFsFP(nA+z?$
zyH~GWe*`C-c=3yK-_NbZ)(?-}nazLa)Yr*6PP&8qR-1QaPQfaDhWxI){Q~*DcYVO`
z6R`g1-cj~YbOH#({?^GdS-j(kyE4CpG5QQyeC_;C$l}<_NQ?KdhYs)cTRd~R#?IDi
zYx!cXIG!z*%9ZNO?A&}|)VIw*C}W`^+|XoCHbh8!Ds0l`sx94ODObuBj*n*-EKB%U
zF_oVh&z|)HeBDxB&Qp!??4swo!V0D5n(T2Qd}G0pJ7PRLp1p>foxCr`iLe@qLgmVf
z6ovPGKM;jS5rsGQj%F_Z@ZR`l!081<piUMiAIxO_ekA@3T0HXSD=(47w;wpj;y=FI
zZ!yJ*l?nxR@$vEO5)XyRYRzbx6=vBgSNKb@%t}SGQa16MGpn`n?1oS~LYZvA=T=kX
zOSwv}%qEwG?I{kpR(KE^tDY_EQrN&%*wd^u&laKv87r|;*{sZ)rNr3j8gH0vqF9<K
z8Wn49wotCl@tL|+m`H&)*16jd0YLABBG8bBh?ub=+(y_mS!K3R9nbEAZ?aIfgcpS;
ztJAE-cTW}zg@Xfy0BUQsj*pv%VmHkD4wvo;W;MAAM0j$uwrtE%M6-olX@-4E-@+)&
z8Knv<R?T9;EL50Lm@O2tS;nT=vfPz!gGIg#Fb!BC@26S2DXk{6yvVVcFRg7BHU(=d
z4@)ihpgf1wr6Y1|a^2gKF5B>0EuoJ0**vp$h6S?WlKsF^(hrB1!^vuolZ7HHmd$F_
ztjxg4YLAn2Y+W`YB@$aK^qAO{A#2O9$z0DhE(_(cAmm{bFwbQ|DNnJ<^Z2?U+hQBe
z;j~Kkv{@X$iY2pJ09|?^S?4kktR-F9idsyGZ$?rHn=P*LZNb2$0Qp0wmvS>irQQPw
z(FNPyzcH<|g(E`2JV05G9H(OdsRj&gDei)j!AMlfMycy*(Ev!mrBpEi5Q5o@3#arp
ztSC$_+!8^+8x)x(?n>bxKX^xn2DdNw*en9;l3AQF@ukORtu6R=Kz=Lu&4EN5JCMS6
zfGlUOXairt>VP+mFOeb0fl+LT5jeK@D#ZfBnH5lRe#Eh4^P(@@QyWVxh<x8uM4CZ}
zyEooNHc&X=mJ4*{E}=Q-0Xd~TGuXL0n1Xczv2Zz{VjP5OKm=W)43XRdlgXGPU4c9h
z*wAJ^4**G1c~PUOO)<tDN&y(ci3_#@>aceIOm#L#Nx+!F)<w(P(NyqSf}OdrDT5ZP
zE3d_Pd%K$vpv(T|a(6R+4T^X^iM2+WWP(8_d_)=vw^>`HbNBbo%nk01*T$C(gwGWZ
zfo@{bSnl6mneT2-Bq3dBnSjRWuz+sS6x<d{gA)K8fJe~4(;je0`Tuom<$qZ#|NZ^S
z|G~#;E%}r>57gbXmH<vT-^9To1d5;^&Y48a;E%%J!TT1aD-noqNk@jA0Um*tMPokB
zhoVs|LK9g5!c#F(RD1FvK?Ah#!EwdfT#=&bsCUsX&&`c8pYT35Ut+~MlQOPPY+zo8
zw<QA*lGqZ8maoN?!rZURUD6DyuD(pM_cHNm1+z?9)>Zoz8HNrrH$4;(8U1NKLi#~E
zof%sGHMc|F7!CmW(Dk5Tpkx+j%?iY|+Ur3AXOh9k0v3^4u|&0W8gtc%TBw<cpdsQm
zl5xa|6!KG1gKqQxLq(egP^An<o$`=}I{jrBFccPB+W0RJPJQ^YDchjF=oD}|NymWM
zgK8e_O%;re=1!Y;aH5Oa<v3b;AMlmHwenP2w>s>S=5n&&(g4%Q+(oSudMme|jsgUX
z<N|8i;-ThOa^R?&Fq8;^Dplu^lax~fHxIP(o!hvWn91p7TKr>GnlP5w!}V79$b=?E
z;0ueoC@K*aT!796p{kQ3lgEu9>=5x{hwytH&;=(H%H<*S*Xc~h)PgI*-H~WDGzWIL
zl6(tWPpw~kYH_pnRPEgA>E+cLvmgX$cr@^dSsrK;Z2^6VJCR<PBNxgAh+UhcoRWa5
zz`iiX(l!d9DM)#eoUted%xLC~v&?ve8CKp{oYuUxJxX6KlW5WfWQbX)pl;;D8)Qds
za-g2in^m+rv%SfYwhnRO({WP*4W31Y)6OFXk2uE(09f})+jJkM@88#pE$WVr#SVoK
zYUOz$vxExS(ghf?rG<#~5M_ONu~e#-wIvcgN1{uic4DvyUqBlWdT0b~f$$mhm6ZR%
zuimofe?=?*M8ERicrI1`y&v=|e~?FqWNmjvirSJ0IU(RNRD*95GKqp6(0@>V?7JA`
z2eK4{RJW;#d2Mj&e$XAD3kW?81k!Owdgy+rJAgFEIx0&LNDwo}mXgd#GR6hI*gqNR
zvgpBAqMJ73p`i(6D2}J`>hGJASgm@OrQ^T}MTxBAm4q*8JP|dqt790DIt0<y)0pZI
z&k<2dY}zsiH5th@UCtGCCj#;%kp;F?BlhZsmv(9;(A(qGu{<Bs5~v<2OAIq(qeab8
zNR1>NN8;5DAmT=Bv#`A(Lqi)KaWu*VZ6z$xJSWN;q^&4(JP(a2V3i6(fI#=FHNqDP
zbyPQmqkGZ+!39!dm`3|cZgO@kVb(E*iU)sm5Tz|JiPSq<M4%@mPDyUYI&f@Dg#4H`
zK{`V}r3*$<G|{Rh0IlR!q&vP;I0k!Jcre8%^Wx&tN9;bF0iLA<X1X*=A;#k^sxJp4
z(`{I{Y>T7sev&3Dx&n#5<24eQn8xqGbu=u;Lb_N7HC$k_(dclu(?V*FCU~lEdKiQi
z)TW^6wUK||3%Y(iIDr<dj;Y*7$CsAl)SNz|Pv15YTc8<+6&ep0*EZwohtzO9u5F@L
zNSE*kv_ykZUR~QtW}DQ0e?DToR@?$f@obU;P86{PN14Xl$)<9R%eq$^F~m`%YSINd
zdbZYy7q{e~19#9|EH0ptMt0Hgr0KG;v7*yjyQbHmHhM0++YkWbEMQ7T>;%b)q$e<V
zv^xQkVy;BoddGrN3A+cS`v9tSm+5jga<F&pwZ(-stq17IkSM%?=Z7F9<<CR;Z;ZvC
z!PlO#-(C4BDgQgAe&zpgRxAHKnafuv`;{N`K)h%U!<-C`wVRmH@Onk#Eq<I7xkk+7
zwdJSQ&s{i!RuW5ni~GliFMKZUtr+?#^b;s}`q2QaSYKPHogH5Pq^Gtyrac-ep#;lH
z2%1RaCjgo$@H_yWLG7^xHGp-8H-cd^>!Ph7_aK{2qk+nEP=8p+VPHs`g~E(ctk9Dd
zCWi_Q>fK%*QKk+c=0ACv772Kjln`Lj<ro%FDig)H%bgBhOA;mM<rdEFo?J2LIcCNz
z&6$|sdrrnH6w*GV>&NB8S02TMD6SzILAkEBSoM6fp0~I$70<#{UsBnNTg>&-3rnk~
zS(EF!>;XT-Ud0s@C)82?=qfE@;poIYGthpGRMB&;3?+Ir+0p?;jL<FSkw~#$8&6zd
zYPK*q*b&j60nzD^ls-dGz?FaghMs_*_}Rb{@EcdJ-FR;A=vQ{+m6+&wB>g!JxMcB#
zTUz|W+hp<N%fl8wy1sYx-p}}Z!xoowxAJlB23h>lk49R&n`JJ&-nIB@>f>uC4s~xm
znBJMnm8+EA@4eNZ-XC2@dcV1Mcjodl|L&&u$GG{cbnBIe_bm?NxbS20@$-Ki@bS&7
V*FJg&kMo&J<*tvP!N-rY{{?v1>fZnW

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/http/no-version.pcap b/testing/btest/Traces/http/no-version.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..90906e934fc5f0cb7580ec69e3ac3bf2df2681fa
GIT binary patch
literal 1268
zcmbu9PiWIn9LL{k{X;fgr=Xi6J}PWGtj#E6;Fe@<muwZPD_uQ!TbsRZam!0g(uH~G
z!Qt79o<yt&f_RV)K`#TrgNRZEoq8AVj?KHj_oCpst`{Ht!pqCchwuCTzRBm;>kmUH
zjQ);~hY{+4n;*t2`9QaT#$e70)!u6Ns&IYref$X0B50^_EQykbN{`pJJ5E6f;ZBsR
zZk*d@o99AF^z;Nmq42@yj3h?{B*8kXfD!P3gwT-wiILuKF$$xhT)1<zW|~0TnLDo9
zp<4l|T4gK~SfhYpwMW%pqnoRG(xhq!cr+JL?bB(5wt#YXybIL<z-kZWQR5`1478;5
zs`dv1p=qsvMSa1Dl?*DDEypyA#&X<Vo*--@mlMgNwH((iv)`?ht`Xgnecz8!XCY2V
ztM~dHq8qkBs3%wG619AKBU!4fCfwo*;TY3hkp1Cd@2J2Ia9iry-_k*SlUusoWGSs~
zU@I4y{Kagj^1)d4L>F3xuCr=xPsft}g|Xf}YsmsLdQ50+rf?~%NEt1qDpKKMA*(4P
z!z1{z<>4u-LgythSd>J*MUc`n>Q$Vco}9_f<mKpjUB3V$3WP-Si?AXT772F9^$Kx4
zGLNt1vv{DDh5uvy0QQS6rXaY?1Y?V0Z_#kEOPm$r#04pnR|F}gs(Ed8R*_OTlh>x?
z=%VM@W1<MHjTd#3H%fG^vga2aB6{rUycku2i6o{Js6Pln5}66G!oA~7y#tMClkHxf
z%G&N!Vr#TU>(JC#-<u%Yp;X&weC5$-`r2rnN25ozd)NMrMhsYO6!mdM4_YW%XI~p*
tv4EXTx22rnl>03yOwrAN@)9Wf{zV4$Z~R<8cgK{j!?|p(1t>w}e*>lYkLv&c

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/no-uri.bro b/testing/btest/scripts/base/protocols/http/no-uri.bro
new file mode 100644
index 0000000000..9793b93c58
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/no-uri.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/no-uri.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+
diff --git a/testing/btest/scripts/base/protocols/http/no-version.bro b/testing/btest/scripts/base/protocols/http/no-version.bro
new file mode 100644
index 0000000000..3e861534bd
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/no-version.bro
@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/no-version.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+