Merge branch 'topic/jgras/flash-detection' of https://github.com/J-Gras/bro

Switching from using the http_all_headers() event to
http_message_done(). That delays it a bit, but is the less expensive
event.

* 'topic/jgras/flash-detection' of https://github.com/J-Gras/bro:
  Updated detection of Flash and AdobeAIR.

scripts/base/frameworks/software/main.bro

@@ -280,6 +280,13 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
+		{
+		software_name = "AdobeAIR";
+		parts = split_string_all(unparsed_version, /AdobeAIR\/[0-9\.]*/);
+		if ( 1 in parts )
+			v = parse(parts[1])$version;
+		}
 	else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "Unspecified WebKit";

scripts/policy/protocols/http/software-browser-plugins.bro

@@ -1,4 +1,4 @@
-##! Detect browser plugins as they leak through requests to Omniture 
+##! Detect browser plugins as they leak through requests to Omniture
 ##! advertising servers.
 
 @load base/protocols/http
@@ -10,8 +10,10 @@ export {
 	redef record Info += {
 		## Indicates if the server is an omniture advertising server.
 		omniture: bool &default=F;
+		## The unparsed Flash version, if detected.
+		flash_version: string &optional;
 	};
-	
+
 	redef enum Software::Type += {
 		## Identifier for browser plugins in the software framework.
 		BROWSER_PLUGIN
@@ -22,12 +24,20 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 	{
 	if ( is_orig )
 		{
-		if ( name == "X-FLASH-VERSION" )
+		switch ( name )
 			{
-			# Flash doesn't include it's name so we'll add it here since it 
+			case "X-FLASH-VERSION":
-			# simplifies the version parsing.
+				# Flash doesn't include it's name so we'll add it here since it
-			value = cat("Flash/", value);
+				# simplifies the version parsing.
-			Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
+				c$http$flash_version = cat("Flash/", value);
+				break;
+
+			case "X-REQUESTED-WITH":
+				# This header is usually used to indicate AJAX requests (XMLHttpRequest),
+				# but Chrome uses this header also to indicate the use of Flash.
+				if ( /Flash/ in value )
+					c$http$flash_version = value;
+				break;
 			}
 		}
 	else
@@ -38,9 +48,26 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 		}
 	}
 
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	# If a Flash was detected, it has to be logged considering the user agent.
+	if ( is_orig && c$http?$flash_version )
+		{
+		# AdobeAIR contains a seperate Flash, which should be emphasized.
+		# Note: We assume that the user agent header was not reset by the app.
+		if( c$http?$user_agent )
+			{
+			if ( /AdobeAIR/ in c$http$user_agent )
+				c$http$flash_version = cat("AdobeAIR-", c$http$flash_version);
+			}
+
+		Software::found(c$id, [$unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
+		}
+	}
+
 event log_http(rec: Info)
 	{
-	# We only want to inspect requests that were sent to omniture advertising 
+	# We only want to inspect requests that were sent to omniture advertising
 	# servers.
 	if ( rec$omniture && rec?$uri )
 		{
@@ -48,11 +75,11 @@ event log_http(rec: Info)
 		local parts = split_string_n(rec$uri, /&p=([^&]{5,});&/, T, 1);
 		if ( 1 in parts )
 			{
-			# We do sub_bytes here just to remove the extra extracted 
+			# We do sub_bytes here just to remove the extra extracted
 			# characters from the regex split above.
 			local sw = sub_bytes(parts[1], 4, |parts[1]|-5);
 			local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/);
-			
+
 			for ( i in plugins )
 				Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);
 			}