Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Revert "Some small tweaks to the HTTP analyzer".

Browse source 
This reverts commit 763a446182.
This commit is contained in:
Robin Sommer 2011-01-19 16:45:42 -08:00
parent 06bd8baef6
commit eb72ca7771
3 changed files with 8 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

2
policy/http-header.bro
View file

@ -2,8 +2,6 @@
# Prints out detailed HTTP headers. # Prints out detailed HTTP headers.
@load http
module HTTP; module HTTP;
export { export {

45
src/HTTP.cc
View file

@ -16,21 +16,16 @@
const bool DEBUG_http = false; const bool DEBUG_http = false;
/* The EXPECT_*_NOTHING states are used to prevent further parsing. Used
* if a message was interrupted.
*/
enum { enum {
EXPECT_REQUEST_LINE, EXPECT_REQUEST_LINE,
EXPECT_REQUEST_MESSAGE, EXPECT_REQUEST_MESSAGE,
EXPECT_REQUEST_TRAILER, EXPECT_REQUEST_TRAILER,
EXPECT_REQUEST_NOTHING,
}; };
enum { enum {
EXPECT_REPLY_LINE, EXPECT_REPLY_LINE,
EXPECT_REPLY_MESSAGE, EXPECT_REPLY_MESSAGE,
EXPECT_REPLY_TRAILER, EXPECT_REPLY_TRAILER,
EXPECT_REPLY_NOTHING,
}; };
HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body) HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body)
@ -856,20 +851,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
HTTP_Event("crud_trailing_HTTP_request", HTTP_Event("crud_trailing_HTTP_request",
new_string_val(line, end_of_line)); new_string_val(line, end_of_line));
else else
{ ProtocolViolation("not a http request line");
// We do see HTTP requests with a trailing EOL that's not
// not accounted for by the content-length. This will lead
// to a call to this method with len==0 while we are
// expecting a new request. Since HTTP servers handle
// such request gracefully, we should do so as well.
if (len==0)
Weird("empty_http_request");
else
{
ProtocolViolation("not a http request line");
request_state = EXPECT_REQUEST_NOTHING;
}
}
} }
break; break;
@ -879,9 +861,6 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
case EXPECT_REQUEST_TRAILER: case EXPECT_REQUEST_TRAILER:
break; break;
case EXPECT_REQUEST_NOTHING:
break;
} }
} }
else else
@ -894,8 +873,6 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
if ( unanswered_requests.empty() ) if ( unanswered_requests.empty() )
Weird("unmatched_HTTP_reply"); Weird("unmatched_HTTP_reply");
else
ProtocolConfirmation();
reply_state = EXPECT_REPLY_MESSAGE; reply_state = EXPECT_REPLY_MESSAGE;
reply_ongoing = 1; reply_ongoing = 1;
@ -908,10 +885,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
len); len);
} }
else else
{
ProtocolViolation("not a http reply line"); ProtocolViolation("not a http reply line");
reply_state = EXPECT_REPLY_NOTHING;
}
break; break;
@ -921,9 +895,6 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
case EXPECT_REPLY_TRAILER: case EXPECT_REPLY_TRAILER:
break; break;
case EXPECT_REPLY_NOTHING:
break;
} }
} }
} }
@ -1071,8 +1042,6 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
// HTTP methods for distributed authoring. // HTTP methods for distributed authoring.
"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
"COPY", "MOVE", "LOCK", "UNLOCK", "COPY", "MOVE", "LOCK", "UNLOCK",
// More stuff
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH", "SEARCH",
@ -1086,7 +1055,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
if ( ! http_methods[i] ) if ( ! http_methods[i] )
{ {
//Weird("HTTP_unknown_method"); // Weird("HTTP_unknown_method");
if ( RequestExpected() ) if ( RequestExpected() )
HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line)); HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
return 0; return 0;
@ -1287,10 +1256,7 @@ void HTTP_Analyzer::RequestMade(const int interrupted, const char* msg)
num_request_lines = 0; num_request_lines = 0;
if (interrupted) request_state = EXPECT_REQUEST_LINE;
request_state = EXPECT_REQUEST_NOTHING;
else
request_state = EXPECT_REQUEST_LINE;
} }
void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
@ -1319,10 +1285,7 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
reply_reason_phrase = 0; reply_reason_phrase = 0;
} }
if (interrupted) reply_state = EXPECT_REPLY_LINE;
reply_state = EXPECT_REPLY_NOTHING;
else
reply_state = EXPECT_REPLY_LINE;
} }
void HTTP_Analyzer::RequestClash(Val* /* clash_val */) void HTTP_Analyzer::RequestClash(Val* /* clash_val */)

13
src/bro.bif
View file

@ -1365,17 +1365,12 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
{ {
Analyzer* ha = c->FindAnalyzer(id); Analyzer* ha = c->FindAnalyzer(id);
if (ha) if ( ha->GetTag() == AnalyzerTag::HTTP )
{ static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
if ( ha->GetTag() == AnalyzerTag::HTTP )
static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
else
run_time("non-HTTP analyzer associated with connection record");
}
else else
run_time("could not find analyzer for skip_http_entity_data"); run_time("non-HTTP analyzer associated with connection record");
} }
else else
run_time("no analyzer associated with connection record"); run_time("no analyzer associated with connection record");