Add tests for {http,mime}_all_headers events

And remove unnecessary check for mime_all_headers in HTTP entities
(they ony raise the http_all_headers event, never mime_all_headers).

CHANGES

@@ -1,4 +1,11 @@
 
+3.1.0-dev.26 | 2019-08-13 11:25:20 -0700
+
+  * Add tests for {http,mime}_all_headers events (Jon Siwek, Corelight)
+
+    And remove unnecessary check for mime_all_headers in HTTP entities
+    (they ony raise the http_all_headers event, never mime_all_headers).
+
 3.1.0-dev.24 | 2019-08-12 19:30:26 -0700
 
   * Avoid buffering all http/mime headers (Justin Azoff)

VERSION

@@ -1 +1 @@
-3.1.0-dev.24
+3.1.0-dev.26

src/analyzer/protocol/http/HTTP.cc

@@ -53,8 +53,8 @@ HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity,
 	offset = 0;
 	instance_length = -1; // unspecified
 	send_size = true;
-	// MIME_Entity already set want_all_headers depending on mime_all_headers
-	if ( ! want_all_headers )
+	// Always override what MIME_Entity set for want_all_headers: HTTP doesn't
+	// raise the generic MIME events, but rather it's own specific ones.
 	want_all_headers = (bool)http_all_headers;
 	}
 

testing/btest/Baseline/scripts.base.protocols.http.all-headers-event/out

@@ -0,0 +1,19 @@
+http_all_headers
+{
+[2] = [name=ACCEPT, value=*/*],
+[4] = [name=CONNECTION, value=Keep-Alive],
+[1] = [name=USER-AGENT, value=Wget/1.14 (darwin12.2.0)],
+[3] = [name=HOST, value=bro.org]
+}
+http_all_headers
+{
+[2] = [name=SERVER, value=Apache/2.4.3 (Fedora)],
+[9] = [name=CONTENT-TYPE, value=text/plain; charset=UTF-8],
+[6] = [name=CONTENT-LENGTH, value=4705],
+[4] = [name=ETAG, value="1261-4c870358a6fc0"],
+[1] = [name=DATE, value=Thu, 07 Mar 2013 21:43:07 GMT],
+[8] = [name=CONNECTION, value=Keep-Alive],
+[7] = [name=KEEP-ALIVE, value=timeout=5, max=100],
+[5] = [name=ACCEPT-RANGES, value=bytes],
+[3] = [name=LAST-MODIFIED, value=Wed, 29 Aug 2012 23:49:27 GMT]
+}

testing/btest/Baseline/scripts.base.protocols.smtp.mime-all-headers-event/out

@@ -0,0 +1,50 @@
+mime_all_headers
+{
+[2] = [name=TO, value=<raj_deol2002in@yahoo.co.in>],
+[9] = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==],
+[6] = [name=MIME-VERSION, value=1.0],
+[11] = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=],
+[4] = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530],
+[1] = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>],
+[8] = [name=X-MAILER, value=Microsoft Office Outlook 12.0],
+[7] = [name=CONTENT-TYPE, value=multipart/mixed;\x09boundary="----=_NextPart_000_0004_01CA45B0.095693F0"],
+[5] = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>],
+[10] = [name=CONTENT-LANGUAGE, value=en-us],
+[3] = [name=SUBJECT, value=SMTP],
+[12] = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
+}
+mime_all_headers
+{
+[1] = [name=CONTENT-TYPE, value=multipart/alternative;\x09boundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
+}
+mime_all_headers
+{
+[2] = [name=CONTENT-TRANSFER-ENCODING, value=7bit],
+[1] = [name=CONTENT-TYPE, value=text/plain;\x09charset="us-ascii"]
+}
+mime_all_headers
+{
+[2] = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable],
+[1] = [name=CONTENT-TYPE, value=text/html;\x09charset="us-ascii"]
+}
+mime_all_headers
+{
+[2] = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable],
+[1] = [name=CONTENT-TYPE, value=text/plain;\x09name="NEWS.txt"],
+[3] = [name=CONTENT-DISPOSITION, value=attachment;\x09filename="NEWS.txt"]
+}
+mime_all_headers
+{
+[2] = [name=MIME-VERSION, value=1.0 (Mac OS X Mail 8.2 \(2102\))],
+[9] = [name=MESSAGE-ID, value=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>],
+[6] = [name=DATE, value=Sat, 25 Jul 2015 16:43:07 +0300],
+[11] = [name=TO, value=ericlim220@yahoo.com],
+[4] = [name=FROM, value=Albert Zaharovits <albert@example.com>],
+[1] = [name=CONTENT-TYPE, value=text/plain; charset=us-ascii],
+[8] = [name=CONTENT-TRANSFER-ENCODING, value=7bit],
+[7] = [name=CC, value=felica4uu@hotmail.com, davis_mark1@outlook.com],
+[5] = [name=IN-REPLY-TO, value=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>],
+[10] = [name=REFERENCES, value=<FA60128E-63CF-4C4E-8241-C5805EA0F66E@example.com> <9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>],
+[3] = [name=SUBJECT, value=Re: Bro SMTP CC Header],
+[12] = [name=X-MAILER, value=Apple Mail (2.2102)]
+}

testing/btest/scripts/base/protocols/http/all-headers-event.zeek

@@ -0,0 +1,16 @@
+# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/http
+
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+	{
+	print "http_all_headers";
+	print hlist;
+	}
+
+event mime_all_headers(c: connection, hlist: mime_header_list)
+	{
+	print "mime_all_headers";
+	print hlist;
+	}

testing/btest/scripts/base/protocols/smtp/mime-all-headers-event.zeek

@@ -0,0 +1,16 @@
+# @TEST-EXEC: zeek -b -r $TRACES/smtp.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smtp
+
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+	{
+	print "http_all_headers";
+	print hlist;
+	}
+
+event mime_all_headers(c: connection, hlist: mime_header_list)
+	{
+	print "mime_all_headers";
+	print hlist;
+	}