From dd0856a57f386b12819b7ef54b141d2d706539d8 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 12 Feb 2014 22:38:59 -0500
Subject: [PATCH] HTTP CONNECT proxy support.

 - The HTTP analyzer now supports handling HTTP CONNECT proxies
   same as the SOCKS analyzer handles proxying.
---
 scripts/base/protocols/http/main.bro          |  11 ++++++
 src/analyzer/protocol/http/HTTP.cc            |  35 ++++++++++++++++++
 src/analyzer/protocol/http/HTTP.h             |   4 ++
 src/types.bif                                 |   1 +
 .../conn.log                                  |  10 +++++
 .../http.log                                  |  10 +++++
 .../smtp.log                                  |  10 +++++
 .../tunnel.log                                |  10 +++++
 .../btest/Traces/http/connect-with-smtp.trace | Bin 0 -> 4191 bytes
 .../base/protocols/http/http-connect.bro      |  11 ++++++
 10 files changed, 102 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log
 create mode 100644 testing/btest/Traces/http/connect-with-smtp.trace
 create mode 100644 testing/btest/scripts/base/protocols/http/http-connect.bro

diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index a164fcd6a6..27257be2d6 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -4,6 +4,7 @@
 
 @load base/utils/numbers
 @load base/utils/files
+@load base/frameworks/tunnels
 
 module HTTP;
 
@@ -217,6 +218,16 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 		c$http$info_code = code;
 		c$http$info_msg = reason;
 		}
+	
+	if ( c$http?$method && c$http$method == "CONNECT" && code == 200 )
+		{
+		# Copy this conn_id and set the orig_p to zero because in the case of CONNECT proxies there will
+		# be potentially many source ports since a new proxy connection is established for each
+		# proxied connection.  We treat this as a singular "tunnel".
+		local tid = copy(c$id);
+		tid$orig_p = 0/tcp;
+		Tunnel::register([$cid=tid, $tunnel_type=Tunnel::HTTP]);
+		}
 	}
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index f605dce402..93dbfbcb2e 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -889,6 +889,9 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
 	reply_code = 0;
 	reply_reason_phrase = 0;
 
+	connect_request = false;
+	pia = 0;
+
 	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(content_line_orig);
 
@@ -945,6 +948,14 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	if ( TCP() && TCP()->IsPartial() )
 		return;
 
+	if ( pia )
+		{
+		// There will be a PIA instance if this connection has been identified 
+		// as a connect proxy.
+		ForwardStream(len, data, is_orig);
+		return;
+		}
+
 	const char* line = reinterpret_cast<const char*>(data);
 	const char* end_of_line = line + len;
 
@@ -1059,6 +1070,27 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 						reply_message, is_orig,
 						ExpectReplyMessageBody(),
 						len);
+
+				if ( connect_request && reply_code == 200 )
+					{
+					pia = new pia::PIA_TCP(Conn());
+					if ( AddChildAnalyzer(pia) )
+						{
+						pia->FirstPacket(true, 0);
+						pia->FirstPacket(false, 0);
+
+						// This connection has transitioned to no longer
+						// being http and the content line support analyzers
+						// need to be removed.
+						RemoveSupportAnalyzer(content_line_orig);
+						RemoveSupportAnalyzer(content_line_resp);
+						}
+					else
+						{
+						pia = 0;
+						}
+					}
+
 				}
 			else
 				{
@@ -1404,6 +1436,9 @@ void HTTP_Analyzer::HTTP_Request()
 		// DEBUG_MSG("%.6f http_request\n", network_time);
 		ConnectionEvent(http_request, vl);
 		}
+
+	if ( strcasecmp_n(request_method->AsString()->Len(), (const char*) (request_method->AsString()->Bytes()), "CONNECT") == 0 )
+		connect_request = true;
 	}
 
 void HTTP_Analyzer::HTTP_Reply()
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index a1fedee41d..48a611b63b 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -5,6 +5,7 @@
 
 #include "analyzer/protocol/tcp/TCP.h"
 #include "analyzer/protocol/tcp/ContentLine.h"
+#include "analyzer/protocol/pia/PIA.h"
 #include "analyzer/protocol/zip/ZIP.h"
 #include "analyzer/protocol/mime/MIME.h"
 #include "binpac_bro.h"
@@ -237,6 +238,9 @@ protected:
 	int connection_close;
 	int request_ongoing, reply_ongoing;
 
+	bool connect_request;
+	pia::PIA_TCP *pia;
+
 	Val* request_method;
 
 	// request_URI is in the original form (may contain '%<hex><hex>'
diff --git a/src/types.bif b/src/types.bif
index 2931bf2d22..a44c3c1615 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -186,6 +186,7 @@ enum Type %{
 	TEREDO,
 	SOCKS,
 	GTPv1,
+	HTTP,
 %}
 
 type EncapsulatingConn: record;
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
new file mode 100644
index 0000000000..8b639edd93
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1078232251.833846	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	tcp	http,smtp	6.722274	1685	223	SF	-	0	ShADadfF	14	2257	16	944	(empty)
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
new file mode 100644
index 0000000000..4a2cf1ad17
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1078232252.284420	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	CONNECT	-	mailin03.sul.t-online.de:25 /	-	-	0	0	200	Connection established	-	-	-	(empty)	-	-	-	-	-	-	-
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
new file mode 100644
index 0000000000..e11a7e9ac0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
+#types	time	string	addr	port	addr	port	count	string	string	table[string]	string	string	table[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
+1078232255.642953	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	208.191.73.21	<nhfjenna_neumann@lycos.com>	<thenightwatch@t-online.de>	Tue, 2 Mar 2004 13:57:49 +0100	Sybille Ostermann <nhfjenna_neumann@lycos.com>	thenightwatch@t-online.de	-	-	-	Hier sind die dicken Girls hemmungloser denn je.. grcu	-	from mail.iosphere.net (mail.iosphere.net [216.58.97.33]) by mail.netsync.net with esmtp; Mrz, 02 2004 12:55:34 -0700	-	250 Message accepted.	254.228.86.79,79.26.245.236,216.58.97.33	Microsoft Outlook Build 10.0.2616	FVS9k93PUgScEUCOjd
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log
new file mode 100644
index 0000000000..9e18e38e03
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1078232252.284420	-	79.26.245.236	0	254.228.86.79	8240	Tunnel::HTTP	Tunnel::DISCOVER
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Traces/http/connect-with-smtp.trace b/testing/btest/Traces/http/connect-with-smtp.trace
new file mode 100644
index 0000000000000000000000000000000000000000..dba5e69edc0c5c10ecf25db2bb50c46aa6b88ad7
GIT binary patch
literal 4191
zcmcgvU2Ggz6~4P(r^%8PDM-{nqMmJET<RUquDy;uP80vecGAr*@!}+;Njl!WyK}QM
zceZzCVmpwyZD^&YkqWAU`amnFct9$sKvNV_Btn2E9)d(FQHd%NtyHA&qf~^rR$6oJ
zthZ~=I+l20v{yU7-~G;azI)Ehwcq~y2VoK+^=)a1kPsfc^{tVCo?mVzL%1&o3H>c3
zE|G7u9<p;I86~89p*%q5HrVm(mu~(2llP~xu@tD=!hILy%}<8sm;U$;A>l~t_d_i$
zBovB-C1Uxl6^K4o4Y!8)&i(;%dc$))5>29l8cTig?1nEO>YGn~E`Is5c^~mY9r0I)
zXtamO4xCYrCXVe3Px%}_AK>^VqTZL=GQV{5Iw6PTlSE?uC>0_v<GvhCST8I*EwT7(
zYhty{FWq{dkm2mUeWSy9uykfJu68MoXDV*O=6FPvBGpo9=!EfnKG&I4)L1lQpJb+~
zL${(rd%?D<y33|b+7Fq@iBU)^YO)^=FkZB09N3qaCmxDLV^K-Ab-tw$cu>mrcYP_J
z845^w-?p%}HMb>xD0jb%QEn0|av(yE;JzHS6t752_PURC=F4khwZ#wZ?j@ui5~NfW
zhHcJi!DTiF>bUx}$sB_g>%@=zY*T}H&{gdV7k!ogvRY+rD`spbX6(;5XIEzInKw3(
zZy;wmnuuHP`NU6u93Z~a7XgW<ze7kWrQS7LkWXa&%)#hnCZ7XA3zVIp0!of!xz!?`
z(2H|QEc$EI@WBhM>rlDjQ#tYfq0%naQ~09~rNY*$0fkjm_zWui;>}`RVHwtQS2vM8
zD6Sk$YhuSow|uPU16VR!XL4=xFGdcdHAWxJqAhxrWM5L*-le3HHNn1eY;(g0O$Ppl
zFPIlJ@EOdViUuCdz99+8O|pFZ@y%ox?#t2SgXBMbEVnP<gBn&_e3V{8AEZ^tRxp>B
z5$^aBAx9BOj;5e<iwQsIU4fvbfafsivmcx$Br`biDD2*!&1gHgQ94dJ*N<`PSvuzf
z=3K#c6kP2)YqS0M`IdFa-}K2p5hQ;Og*cdNi*KWU2$28DWA_l0-5*WlGmDS;<O3B^
zJBZ}ZBl)NPbe53)!?`@<v)T^Vpq!NrcSd&$#=wd?w#<Ag99@U`zkTLB$oxDqKb32P
z1$rgGeDp@F;fP>mP!@&Hd}~1VQ^@=kWInt16d@yn`N3H9H<-d>-64`g7364g#L#V@
zTBSYUh*yvr`W8MMdySB;bT>Mp1F(V#7iO4iKv8#fw1~uS3Ad8H*eK-)svLS`@q3bM
z<-GvcGsyKKay|O&zffiBdV(i%x@%~#zgAj`8kB@>0WUGm+&QKGk7j}P`a%6)o;;jV
zdz7S#3k%oRk%wS<4hn{_xipwAij3<Dr_1bR&BD$iPIiErl7+e(l3iL_)w;VOp>9{P
z9|dU0Hl{G!sTx#JAE>?g)ZtXJM@jc8ecP3;t{MgZCY;xq<AuijbS(lYEuGf7J|!Tf
zeS70Q4I4BShDAShMzAnk+!pSCDYxbRceA+qYMaD*I`SFvSA4sXBbcVhwZ&h^G#RPY
zY3hHeo~D=Q3E7SL&|q?I8XGl*tm9H4S23)=uJg7AcU?WP=%hD&96O{2;|$x0gB>1<
zjN&L%D2Fj7Oa}~VSspK&wu846v4X&Hswhwv1rGrzFH-Tp^U5%bCZ?!xusLhszk^`6
zb}4rg`MD}Z(sb7CteQIG{pciJIMjXQ0p{3=-rjUyBKbfpI-<LHU*4k~kb;aZ8cy1-
zb@#!;YEnAsU?PL&krXqmAZ*7jxsdf-)3z%x<T0}dNmWsmR8O);z8K_69%@j!BcQfd
z^#p}6%1nbYHxBZaDMn4$ZBphGj1CZtI;>0~&s<~={?in9;dcVBQ%HazrPaL>7_M8@
zIy+}(W)xpwms0NF%a~$0Fik7AWjQX4cnDcATvo=($~ZBFLC<mIDTJ3W!34!IG8dR3
z@cIelhJSk*W~-J?2h+(o<S~o-r-494_bfQ+!JTO;TtQ1Ed?*%`<fkdKV3N+_R0YGw
zgR;b|V348%bTkCoPWqs-tOrI%8Mky3Eac(X@(9lzz~|j*;aL_EuwV#9ff*ekX3)U+
zJ_co7=-fqdT;MW1u&5yr!*M8AU_=@X$;fc=1hQLpqh1q<+eojj)Qs+6G!_i<k}e<j
z(|}VHby2DXg5)_8$BD6tNKcngVPtvI6ELaEM3pHv83pH=kkJX4vSk8wZ&hmW48BbI
zI2a^{3fe&ak5Rm0>4gfM!0Sb7VVF402*xGV_c*Q{YRQZW`#RpAp%yBSKPvB_0)=s@
zD`$^I2TjzFvso010_IU$*EohQtE#A&63C&mb70w~DIMwSrN~X9j$wGra#^+NyBjlH
z!S$wB(5W)*lW1>rV^!SYWva;sR=5?HU$I~difu=JJfL6Y4OYpJ%SqQ~D;6u6Me7M(
zC{<(8<;E0$bwv|xs-AcJ>RDQ&dJc@>Yt`j(Y)p;nx#@>7lEFhcnwsdYk9{oqaG;4|
zB}S~a_~mnzT7S<_$I($3y-=W4mll!e6)er8>2RaWH+TE%vNW5ouP)64BUqZRVh0@?
zeu0p$er+PZjCEzb518<z{H}aF_yKbjiS9w7mlCZ=G?l#jcR&H{z<7C?__M!{G>A7T
z9PuYR8dUf{{$%&YFOC1SrY|8<gb&2V23Amn_Qg+p5xyG`VGoLM8(-Do#sndgKAgll
s_|0{(mVB)9YhvAtSmUd(POrdfigBYK<JW^R-o_aBqKht#zg~~=zf6bawg3PC

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/http-connect.bro b/testing/btest/scripts/base/protocols/http/http-connect.bro
new file mode 100644
index 0000000000..d8157e2c49
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-connect.bro
@@ -0,0 +1,11 @@
+# This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly.
+#
+# @TEST-EXEC: bro -r $TRACES/http/connect-with-smtp.trace %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff smtp.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# The base analysis scripts are loaded by default.
+#@load base/protocols/http
+