From c0ff43fd4aa52cfda6ecc049ed5bdc3e1e3eadf8 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 10 May 2011 13:49:55 -0400 Subject: [PATCH] Improved HTTP::build_url function. - Scripts now deal with host headers containing the port value. - build_url function copes with missing the request now (only seeing the response for some reason). --- policy/http/base.bro | 3 ++- policy/http/detect-webapps.bro | 2 +- policy/http/file-hash.bro | 2 +- policy/http/file-ident.bro | 2 +- policy/http/utils.bro | 12 ++++++------ 5 files changed, 11 insertions(+), 10 deletions(-) diff --git a/policy/http/base.bro b/policy/http/base.bro index 9c9566ad1c..55d7518810 100644 --- a/policy/http/base.bro +++ b/policy/http/base.bro @@ -155,7 +155,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr c$http$referrer = value; else if ( name == "HOST" ) - c$http$host = value; + # The split is done to remove the occasional port value that shows up here. + c$http$host = split1(value, /:/)[1]; else if ( name == "CONTENT-LENGTH" ) c$http$request_content_length = to_count(strip(value)); diff --git a/policy/http/detect-webapps.bro b/policy/http/detect-webapps.bro index 9649142cb2..27a6deea99 100644 --- a/policy/http/detect-webapps.bro +++ b/policy/http/detect-webapps.bro @@ -29,7 +29,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori local c = state$conn; local si = Software::parse(msg, c$id$resp_h, WEB_APPLICATION); - si$url = build_url(c); + si$url = build_url(c$http); if ( c$id$resp_h in Software::tracked && si$name in Software::tracked[c$id$resp_h] ) { diff --git a/policy/http/file-hash.bro b/policy/http/file-hash.bro index 984e36ee3c..be08354e33 100644 --- a/policy/http/file-hash.bro +++ b/policy/http/file-hash.bro @@ -72,7 +72,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) & if ( c$http$calculating_md5 ) { - local url = build_url(c); + local url = build_url(c$http); c$http$calculating_md5 = F; c$http$md5 = md5_hash_finish(c$id); diff --git a/policy/http/file-ident.bro b/policy/http/file-ident.bro index 76f4123357..1f5512d621 100644 --- a/policy/http/file-ident.bro +++ b/policy/http/file-ident.bro @@ -76,7 +76,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori if ( msg in mime_types_extensions && c$http?$uri && mime_types_extensions[msg] !in c$http$uri ) { - local url = build_url(c); + local url = build_url(c$http); local message = fmt("%s %s %s", msg, c$http$method, url); NOTICE([$note=HTTP_IncorrectFileType, $msg=message, diff --git a/policy/http/utils.bro b/policy/http/utils.bro index 0f5d2ac1fe..78512d9169 100644 --- a/policy/http/utils.bro +++ b/policy/http/utils.bro @@ -6,7 +6,7 @@ module HTTP; export { global extract_keys: function(data: string, kv_splitter: pattern): string_vec; - global build_url: function(c: connection): string; + global build_url: function(h: Info): string; } @@ -24,11 +24,11 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec return key_vec; } -function build_url(c: connection): string +function build_url(h: Info): string { - if ( ! c?$http ) return ""; - - local host = c$http?$host ? c$http$host : fmt("%s:%d", c$id$resp_h, c$id$resp_p); - local uri = c$http?$uri ? c$http$uri : "/"; + local uri = h?$uri ? h$uri : "/"; + local host = h?$host ? h$host : fmt("%s", h$id$resp_h); + if ( h$id$resp_p != 80/tcp ) + host = fmt("%s:%s", host, h$id$resp_p); return fmt("http://%s%s", host, uri); } \ No newline at end of file