Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove hardcoded HTTP verbs from the analyzer (#741)

Browse source
This commit is contained in:
Vlad Grigorescu 2012-11-30 20:04:10 -05:00
parent e2fdf16e0c
commit e98343b562
2 changed files with 26 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/http/main.bro
View file

@ -95,6 +95,17 @@ export {
"PROXY-CONNECTION",
} &redef;
## A list of HTTP methods. Other methods will generate a weird.
const http_methods: set[string] = {
"GET", "POST", "HEAD", "OPTIONS",
"PUT", "DELETE", "TRACE", "CONNECT",
# HTTP methods for distributed authoring:
"PROPFIND", "PROPPATCH", "MKCOL",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH"
} &redef;
## Event that can be handled to access the HTTP record as it is sent on
## to the logging framework.
global log_http: event(rec: Info);
@ -180,6 +191,9 @@ event http_request(c: connection, method: string, original_URI: string,
c$http$method = method;
c$http$uri = unescaped_URI;
if ( !(method in http_methods) )
event conn_weird("unknown_HTTP_method", c, method);
}
event http_reply(c: connection, version: string, code: count, reason: string) &priority=5

40
src/HTTP.cc
View file

@ -1118,36 +1118,18 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
{
const char* rest = 0;
static const char* http_methods[] = {
"GET", "POST", "HEAD",
const char* request_method_str;
int request_method_len;
const char* rest;
get_word(strlen(line), line, request_method_len, request_method_str);
"OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT",
// HTTP methods for distributed authoring.
"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH",
0,
};
int i;
for ( i = 0; http_methods[i]; ++i )
if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 )
break;
if ( ! http_methods[i] )
{
// Weird("HTTP_unknown_method");
if ( RequestExpected() )
HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
return 0;
}
request_method = new StringVal(http_methods[i]);
request_method = new StringVal(request_method_len, request_method_str);
if ( (rest = PrefixWordMatch(line, end_of_line, (const char*) request_method->AsString()->Bytes() )) == 0)
{
// Most likely a DPD failure - this is pretty noisy for me, so leaving commented for now
// reporter->InternalError("HTTP RequestLine failed");
return 0;
}
if ( ! ParseRequest(rest, end_of_line) )
reporter->InternalError("HTTP ParseRequest failed");