Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove hardcoded HTTP verbs from the analyzer (#741)

Browse source
This commit is contained in:
Vlad Grigorescu 2012-11-30 20:04:10 -05:00
parent e2fdf16e0c
commit e98343b562
2 changed files with 26 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/http/main.bro
View file

@ -95,6 +95,17 @@ export {
"PROXY-CONNECTION", "PROXY-CONNECTION",
} &redef; } &redef;
## A list of HTTP methods. Other methods will generate a weird.
const http_methods: set[string] = {
"GET", "POST", "HEAD", "OPTIONS",
"PUT", "DELETE", "TRACE", "CONNECT",
# HTTP methods for distributed authoring:
"PROPFIND", "PROPPATCH", "MKCOL",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH"
} &redef;
## Event that can be handled to access the HTTP record as it is sent on ## Event that can be handled to access the HTTP record as it is sent on
## to the logging framework. ## to the logging framework.
global log_http: event(rec: Info); global log_http: event(rec: Info);
@ -180,6 +191,9 @@ event http_request(c: connection, method: string, original_URI: string,
c$http$method = method; c$http$method = method;
c$http$uri = unescaped_URI; c$http$uri = unescaped_URI;
if ( !(method in http_methods) )
event conn_weird("unknown_HTTP_method", c, method);
} }
event http_reply(c: connection, version: string, code: count, reason: string) &priority=5 event http_reply(c: connection, version: string, code: count, reason: string) &priority=5

34
src/HTTP.cc
View file

@ -1118,37 +1118,19 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
{ {
const char* rest = 0; const char* request_method_str;
static const char* http_methods[] = { int request_method_len;
"GET", "POST", "HEAD", const char* rest;
get_word(strlen(line), line, request_method_len, request_method_str);
"OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT", request_method = new StringVal(request_method_len, request_method_str);
if ( (rest = PrefixWordMatch(line, end_of_line, (const char*) request_method->AsString()->Bytes() )) == 0)
// HTTP methods for distributed authoring.
"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH",
0,
};
int i;
for ( i = 0; http_methods[i]; ++i )
if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 )
break;
if ( ! http_methods[i] )
{ {
// Weird("HTTP_unknown_method"); // Most likely a DPD failure - this is pretty noisy for me, so leaving commented for now
if ( RequestExpected() ) // reporter->InternalError("HTTP RequestLine failed");
HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
return 0; return 0;
} }
request_method = new StringVal(http_methods[i]);
if ( ! ParseRequest(rest, end_of_line) ) if ( ! ParseRequest(rest, end_of_line) )
reporter->InternalError("HTTP ParseRequest failed"); reporter->InternalError("HTTP ParseRequest failed");