Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Tweaking how HTTP requests without URIs are handled.

Browse source 
The change from #49 made it an error to not have a URI. That however
then led requests with an URI yet no version to abort as well.
Instead, we now check if the token following the method is an "HTTP/"
version identifier. If, so accept that the URI is empty (and trigger
a weird) but otherwise keep processing.

Adding test cases for both HTTP requests without URI and without
version.
This commit is contained in:
Robin Sommer 2016-01-15 12:45:19 -08:00
parent adb3fab019
commit 642ef5d3c1
12 changed files with 60 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,12 +1,12 @@
2.4-236 | 2016-01-15 10:35:21 -0800
2.4-238 | 2016-01-15 12:56:33 -0800
* Add HTTP version information to HTTP log file. (Aaron Eppert)
* Add NOTIFY as a valid SIP message, per RFC 3265. (Aaron Eppert)
* Let HTTP parser reject requests that don't have both URI and
version. (William Glodek)
* Improve HTTP parser's handling of requests that don't have a URI.
(William Glodek/Robin Sommer)
* Fix crash when deleting non existing record member. Addresses
BIT-1519. (Johanna Amann)

2
VERSION
View file

@ -1 +1 @@
2.4-236
2.4-238

10
src/analyzer/protocol/http/HTTP.cc
View file

@ -1249,11 +1249,11 @@ int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
break;
}
if ( end_of_uri >= end_of_line )
{
Weird("missing_HTTP_uri");
return 0;
}
if ( end_of_uri >= end_of_line && PrefixMatch(line, end_of_line, "HTTP/") )
{
Weird("missing_HTTP_uri");
end_of_uri = line; // Leave URI empty.
}
for ( version_start = end_of_uri; version_start < end_of_line; ++version_start )
{

13
testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
View file

@ -3,14 +3,16 @@
#empty_field (empty)
#unset_field -
#path http
#open 2016-01-15-18-41-03
#open 2016-01-15-20-54-31
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
#types time string addr port addr port count string string string string string string count count count string count string string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string]
1354328870.191989 CXWv6p3arKYeMETxOg 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - 1.1 - 0 962 405 Method Not Allowed - - - (empty) - - - - - FKgccv1sOsIPuN3b73 text/html
1354328874.237327 CjhGID4nQcgTWjvg4c 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com (empty) - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FWUdF12OgqGLhf3NPl text/html
1354328874.299063 CCvvfg3TEfuqmmG4bh 128.2.6.136 46564 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FrYoRN2EwpZyXbyvF8 text/html
1354328874.342591 CsRx2w45OKnoww6xl4 128.2.6.136 46565 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FJPouz1lbXUsa4Ef1 text/html
1354328874.364020 CRJuHdVW0XPVINV8a 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - 1.1 - 0 43911 200 OK - - - (empty) - - - - - FbONWS332vB7QP1sDi text/html
1354328878.470424 CPbrpk1qSsw6ESzHV4 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - 1.1 - 0 43983 200 OK - - - (empty) - - - - - Fw8xGD2taqNAOVvI88 text/html
1354328882.575456 C6pKV8GSxOnSLghOa 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - 1.0 - 0 1207 403 Forbidden - - - (empty) - - - - - FdEQPY3H4Z608y5yq1 text/html
1354328882.928027 CIPOse170MGiRM1Qf4 128.2.6.136 46569 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FcNjaW3kDUju84cG3 text/html
1354328882.968948 C7XEbhP654jzLoe3a 128.2.6.136 46570 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - Fe8v8c49yLvORp3zva text/html
1354328882.990373 CJ3xTn1c4Zw9TmAE05 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - 1.1 - 0 43913 200 OK - - - (empty) - - - - - FAbDo7c8yz5wducYb text/html
@ -20,30 +22,37 @@
1354328891.245592 C3SfNE4BWaU4aSuwkc 128.2.6.136 46575 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FOOeqs4Vg0Zs3rcVYi text/html
1354328891.287655 CEle3f3zno26fFZkrh 128.2.6.136 46576 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - F2wfYn1yFdeOeHFYA8 text/html
1354328891.309065 CwSkQu4eWZCH7OONC1 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - 1.1 - 0 963 405 Method Not Allowed - - - (empty) - - - - - F1d9bG11AdUoYIAPna text/html
1354328895.355012 CfTOmO0HKorjr8Zp7 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - F73Xpt400aDAjp1tOj text/html
1354328895.416133 CzA03V1VcgagLjnO92 128.2.6.136 46579 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FANgwp2fEJblWfGtqk text/html
1354328895.459490 CyAhVIzHqb7t7kv28 128.2.6.136 46580 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FUelQv4zC3B2JEWwQ6 text/html
1354328895.480865 Cab0vO1xNYSS2hJkle 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - 1.1 - 0 963 405 Method Not Allowed - - - (empty) - - - - - FodlEg40uUijFetJb9 text/html
1354328899.526682 Cx2FqO23omNawSNrxj 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - 1.1 - 0 925 400 Bad Request - - - (empty) - - - - - FgQlB81dSyLHN5T8Q4 text/html
1354328903.572533 Cx3C534wEyF3OvvcQe 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FW2UCD2e0jxAndsTK3 text/html
1354328903.634196 CkDsfG2YIeWJmXWNWj 128.2.6.136 46584 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FKANAL2sLvMgJdaEKa text/html
1354328903.676395 CUKS0W3HFYOnBqSE5e 128.2.6.136 46585 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FNRuYy4eahAmiehFvd text/html
1354328903.697693 CRrfvP2lalMAYOCLhj 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - 1.1 - 0 925 400 Bad Request - - - (empty) - - - - - FAVGIL2N6x9nLyfGHh text/html
1354328907.743696 Cn78a440HlxuyZKs6f 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - 1.1 - 0 960 405 Method Not Allowed - - - (empty) - - - - - FKbiICMAvCsO6CFjk text/html
1354328911.790590 CUof3F2yAIid8QS3dk 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FD5riIpYe5BLR0aok text/html
1354328911.853464 CojBOU3CXcLHl1r6x1 128.2.6.136 46589 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FUzHwP1gT2UJYnUpUi text/html
1354328911.897044 CJzVQRGJrX6V15ik7 128.2.6.136 46590 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FfLe59279TLFl2hHKc text/html
1354328911.918511 ClAbxY1nmdjCuo0Le2 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - 1.1 - 0 960 405 Method Not Allowed - - - (empty) - - - - - FQrvtP3qpKeKPxn5Gf text/html
1354328915.964678 CwG0BF1VXE0gWgs78 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - 1.1 - 0 961 405 Method Not Allowed - - - (empty) - - - - - Fs5qiV3XoBOExKLdi4 text/html
1354328920.010458 CisNaL1Cm73CiNOmcg 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FpkucFbcGcM4CNkZf text/html
1354328920.072101 CBQnJn22qN8TOeeZil 128.2.6.136 46594 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FBu6A04t7ZjbY0dCi8 text/html
1354328920.114526 CbEsuD3dgDDngdlbKf 128.2.6.136 46595 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - Fk7Se84fbLvbZEfBCd text/html
1354328920.136714 Cktvtw2VqwbTG0OgWk 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - 1.1 - 0 961 405 Method Not Allowed - - - (empty) - - - - - FNb8ZY2Zvw0MpF1qU4 text/html
1354328924.183211 CKfF8L3XSsgT2WYDN 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - 1.0 - 0 934 411 Length Required - - - (empty) - - - - - Fo23U03XCMamm7QQWe text/html
1354328924.224567 CHrnr1115j0JRSXjG6 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - 1.0 - 0 934 411 Length Required - - - (empty) - - - - - FqyVeZqSV8Tz7hfT1 text/html
1354328924.287402 Cnkr172qPtDAaK7Xd 128.2.6.136 46599 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - Ft15j5I9xSpfcA7Fh text/html
1354328924.328257 CcxZj6188NwHGl3a16 128.2.6.136 46600 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FyF5ac1kxwCDvXZKz7 text/html
1354328924.350343 CUqYZc2XzbfnZKbgT 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - 1.0 - 0 934 411 Length Required - - - (empty) - - - - - FuGiTK15gnR7f8Uti2 text/html
1354328924.391728 CVdnYXVEtNT1lQVL6 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - 1.0 - 0 934 411 Length Required - - - (empty) - - - - - F93zuy2MGUDDPwg0xl text/html
1354328924.433150 CbNmy32YFt3gdIjV8 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - 1.0 - 0 934 411 Length Required - - - (empty) - - - - - FRJvy31aqXlFemaBfc text/html
1354328924.496732 COTmF91mGWcb4zV7W5 128.2.6.136 46604 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - Fcnnrf1A8AgOFzLHM text/html
1354328924.537671 CuChlg202P8sUFuXrg 128.2.6.136 46605 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FI3I73110YtFWCuaG3 text/html
1354328924.559704 CZTTFm2GrMAs8leAyl 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - 1.1 - 0 0 200 OK - - - (empty) - - - - - - -
1354328928.625437 CV23rC3tBHfPhMUPtf 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - 1.1 - 0 0 200 OK - - - (empty) - - - - - - -
1354328932.692706 CkaPGx2P0Y3W5aHVFk 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - 1.0 - 0 0 400 Bad Request - - - (empty) - - - - - - -
1354328932.754657 CY93mM3aViMiLKuSw3 128.2.6.136 46609 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FaVAsywxxOtGAzel8 text/html
1354328932.796568 CXgISq6dA2DVPzqp9 128.2.6.136 46610 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - - (empty) - - - - - FmzgEKnyfPnyZqmh text/html
#close 2016-01-15-18-41-03
#close 2016-01-15-20-54-32

22
testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
View file

@ -3,15 +3,12 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-01-15-18-41-03
#open 2016-01-15-20-54-31
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1354328874.237327 CjhGID4nQcgTWjvg4c 128.2.6.136 46563 173.194.75.103 80 missing_HTTP_uri - F bro
1354328874.237327 CjhGID4nQcgTWjvg4c 128.2.6.136 46563 173.194.75.103 80 bad_HTTP_request - F bro
1354328874.278822 CCvvfg3TEfuqmmG4bh 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F bro
1354328874.321792 CsRx2w45OKnoww6xl4 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F bro
1354328882.575456 C6pKV8GSxOnSLghOa 128.2.6.136 46568 173.194.75.103 80 missing_HTTP_uri - F bro
1354328882.575456 C6pKV8GSxOnSLghOa 128.2.6.136 46568 173.194.75.103 80 bad_HTTP_request - F bro
1354328882.908690 CIPOse170MGiRM1Qf4 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F bro
1354328882.949510 C7XEbhP654jzLoe3a 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F bro
1354328887.094494 CMXxB5GvmoxJFXdTa 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F bro
@ -20,33 +17,20 @@
1354328891.226199 C3SfNE4BWaU4aSuwkc 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.267625 CEle3f3zno26fFZkrh 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.309065 CwSkQu4eWZCH7OONC1 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328895.355012 CfTOmO0HKorjr8Zp7 128.2.6.136 46578 173.194.75.103 80 missing_HTTP_uri - F bro
1354328895.355012 CfTOmO0HKorjr8Zp7 128.2.6.136 46578 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.355012 CfTOmO0HKorjr8Zp7 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328895.396634 CzA03V1VcgagLjnO92 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.438812 CyAhVIzHqb7t7kv28 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.480865 Cab0vO1xNYSS2hJkle 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328903.572533 Cx3C534wEyF3OvvcQe 128.2.6.136 46583 173.194.75.103 80 missing_HTTP_uri - F bro
1354328903.572533 Cx3C534wEyF3OvvcQe 128.2.6.136 46583 173.194.75.103 80 bad_HTTP_request - F bro
1354328903.614145 CkDsfG2YIeWJmXWNWj 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F bro
1354328903.656369 CUKS0W3HFYOnBqSE5e 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F bro
1354328911.790590 CUof3F2yAIid8QS3dk 128.2.6.136 46588 173.194.75.103 80 missing_HTTP_uri - F bro
1354328911.790590 CUof3F2yAIid8QS3dk 128.2.6.136 46588 173.194.75.103 80 bad_HTTP_request - F bro
1354328911.832856 CojBOU3CXcLHl1r6x1 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F bro
1354328911.876341 CJzVQRGJrX6V15ik7 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F bro
1354328920.010458 CisNaL1Cm73CiNOmcg 128.2.6.136 46593 173.194.75.103 80 missing_HTTP_uri - F bro
1354328920.010458 CisNaL1Cm73CiNOmcg 128.2.6.136 46593 173.194.75.103 80 bad_HTTP_request - F bro
1354328920.052085 CBQnJn22qN8TOeeZil 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F bro
1354328920.094072 CbEsuD3dgDDngdlbKf 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.224567 CHrnr1115j0JRSXjG6 128.2.6.136 46598 173.194.75.103 80 missing_HTTP_uri - F bro
1354328924.224567 CHrnr1115j0JRSXjG6 128.2.6.136 46598 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.266693 Cnkr172qPtDAaK7Xd 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.308714 CcxZj6188NwHGl3a16 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.433150 CbNmy32YFt3gdIjV8 128.2.6.136 46603 173.194.75.103 80 missing_HTTP_uri - F bro
1354328924.433150 CbNmy32YFt3gdIjV8 128.2.6.136 46603 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.476011 COTmF91mGWcb4zV7W5 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.518204 CuChlg202P8sUFuXrg 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F bro
1354328932.692706 CkaPGx2P0Y3W5aHVFk 128.2.6.136 46608 173.194.75.103 80 missing_HTTP_uri - F bro
1354328932.692706 CkaPGx2P0Y3W5aHVFk 128.2.6.136 46608 173.194.75.103 80 bad_HTTP_request - F bro
1354328932.734579 CY93mM3aViMiLKuSw3 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F bro
1354328932.776609 CXgISq6dA2DVPzqp9 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F bro
#close 2016-01-15-18-41-03
#close 2016-01-15-20-54-32

10
testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2016-01-15-20-42-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
#types time string addr port addr port count string string string string string string count count count string count string string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string]
1362692526.939527 CXWv6p3arKYeMETxOg 141.142.228.5 59856 192.150.187.43 80 1 GET bro.org (empty) - 1.1 - 0 4705 200 OK - - - (empty) - - - - - FakNcS1Jfe01uljb3 text/plain
#close 2016-01-15-20-42-50

10
testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-01-15-20-42-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1362692526.939527 CXWv6p3arKYeMETxOg 141.142.228.5 59856 192.150.187.43 80 missing_HTTP_uri - F bro
#close 2016-01-15-20-42-50

10
testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2016-01-15-20-44-15
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
#types time string addr port addr port count string string string string string string count count count string count string string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string]
1036020209.801685 CXWv6p3arKYeMETxOg 131.243.1.23 1035 131.243.1.10 80 1 GET - /cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t - - - 0 0 - - - - - (empty) - - - - - - -
#close 2016-01-15-20-44-15

BIN
testing/btest/Traces/http/no-uri.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/http/no-version.pcap Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/http/no-uri.bro Normal file
View file

@ -0,0 +1,4 @@
# @TEST-EXEC: bro -Cr $TRACES/http/no-uri.pcap %INPUT
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: btest-diff weird.log

3
testing/btest/scripts/base/protocols/http/no-version.bro Normal file
View file

@ -0,0 +1,3 @@
# @TEST-EXEC: bro -Cr $TRACES/http/no-version.pcap %INPUT
# @TEST-EXEC: btest-diff http.log