Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Improved HTTP::build_url function.

Browse source 
- Scripts now deal with host headers containing the port value.
- build_url function copes with missing the request now
  (only seeing the response for some reason).
This commit is contained in:
Seth Hall 2011-05-10 13:49:55 -04:00
parent a1f9ba8b1b
commit c0ff43fd4a
5 changed files with 11 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

3
policy/http/base.bro
View file

@ -155,7 +155,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
c$http$referrer = value; c$http$referrer = value;
else if ( name == "HOST" ) else if ( name == "HOST" )
c$http$host = value; # The split is done to remove the occasional port value that shows up here.
c$http$host = split1(value, /:/)[1];
else if ( name == "CONTENT-LENGTH" ) else if ( name == "CONTENT-LENGTH" )
c$http$request_content_length = to_count(strip(value)); c$http$request_content_length = to_count(strip(value));

2
policy/http/detect-webapps.bro
View file

@ -29,7 +29,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
local c = state$conn; local c = state$conn;
local si = Software::parse(msg, c$id$resp_h, WEB_APPLICATION); local si = Software::parse(msg, c$id$resp_h, WEB_APPLICATION);
si$url = build_url(c); si$url = build_url(c$http);
if ( c$id$resp_h in Software::tracked && if ( c$id$resp_h in Software::tracked &&
si$name in Software::tracked[c$id$resp_h] ) si$name in Software::tracked[c$id$resp_h] )
{ {

2
policy/http/file-hash.bro
View file

@ -72,7 +72,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &
if ( c$http$calculating_md5 ) if ( c$http$calculating_md5 )
{ {
local url = build_url(c); local url = build_url(c$http);
c$http$calculating_md5 = F; c$http$calculating_md5 = F;
c$http$md5 = md5_hash_finish(c$id); c$http$md5 = md5_hash_finish(c$id);

2
policy/http/file-ident.bro
View file

@ -76,7 +76,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
if ( msg in mime_types_extensions && if ( msg in mime_types_extensions &&
c$http?$uri && mime_types_extensions[msg] !in c$http$uri ) c$http?$uri && mime_types_extensions[msg] !in c$http$uri )
{ {
local url = build_url(c); local url = build_url(c$http);
local message = fmt("%s %s %s", msg, c$http$method, url); local message = fmt("%s %s %s", msg, c$http$method, url);
NOTICE([$note=HTTP_IncorrectFileType, NOTICE([$note=HTTP_IncorrectFileType,
$msg=message, $msg=message,

12
policy/http/utils.bro
View file

@ -6,7 +6,7 @@ module HTTP;
export { export {
global extract_keys: function(data: string, kv_splitter: pattern): string_vec; global extract_keys: function(data: string, kv_splitter: pattern): string_vec;
global build_url: function(c: connection): string; global build_url: function(h: Info): string;
} }
@ -24,11 +24,11 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec
return key_vec; return key_vec;
} }
function build_url(c: connection): string function build_url(h: Info): string
{ {
if ( ! c?$http ) return ""; local uri = h?$uri ? h$uri : "/<missed_request>";
local host = h?$host ? h$host : fmt("%s", h$id$resp_h);
local host = c$http?$host ? c$http$host : fmt("%s:%d", c$id$resp_h, c$id$resp_p); if ( h$id$resp_p != 80/tcp )
local uri = c$http?$uri ? c$http$uri : "/<missed_request>"; host = fmt("%s:%s", host, h$id$resp_p);
return fmt("http://%s%s", host, uri); return fmt("http://%s%s", host, uri);
} }