GH-289: Add options to limit entries in http.log file fields

The "orig_fuids", "orig_filenames", "orig_mime_types" http.log fields as well as their "resp" counterparts are now limited to having "HTTP::max_files_orig" or "HTTP::max_files_resp" entries, which are 15 by default. The limit can also be ignored case-by-case via the "HTTP::max_files_policy" hook. Fixes GH-289
2025-10-11 02:58:20 +00:00 · 2019-02-27 14:25:15 -06:00 · 2019-02-27 14:25:15 -06:00 · 92b6656bad
commit 92b6656bad
parent 8b9d525097
9 changed files with 127 additions and 8 deletions
--- a/testing/btest/scripts/base/protocols/http/multipart-file-limit.bro
+++ b/testing/btest/scripts/base/protocols/http/multipart-file-limit.bro
@ -0,0 +1,23 @@
+# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT >out-limited
+# @TEST-EXEC: mv http.log http-limited.log
+# @TEST-EXEC: btest-diff http-limited.log
+# @TEST-EXEC: btest-diff out-limited
+# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored
+# @TEST-EXEC: mv http.log http-limit-ignored.log
+# @TEST-EXEC: btest-diff http-limit-ignored.log
+# @TEST-EXEC: btest-diff out-limit-ignored
+
+option ignore_http_file_limit = F;
+
+redef HTTP::max_files_orig = 1;
+redef HTTP::max_files_resp = 1;
+
+hook HTTP::max_files_policy(f: fa_file, is_orig: bool)
+	{
+	print "max_files reached";
+
+	if ( ignore_http_file_limit )
+		break;
+	}