mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
377fd711bd
When Zeek flips roles of a HTTP connection subsequent to the HTTP analyzer being attached, that analyzer would not update its own ContentLine analyzer state, resulting in the wrong ContentLine analyzer being switched into plain delivery mode. In debug builds, this would result in assertion failures, in production builds, the HTTP analyzer would receive HTTP bodies as individual header lines, or conversely, individual header lines would be delivered as a large chunk from the ContentLine analyzer. PCAPs were generated locally using tcprewrite to select well-known-http ports for both endpoints, then editcap to drop the first SYN packet. Kudos to @JordanBarnartt for keeping at it. Closes #3789
19 lines
990 B
Text
19 lines
990 B
Text
# @TEST-DOC: Flipping roles of a HTTP connection didn't flip the content line analyzers, resulting in inconsistent deliveries. Regression test for #3789
|
|
|
|
# Pcap contains a POST of the Zeek logo, expecting SHA1 1991cedee47909e324ac1b8bee2020d5690891e1 in files.log
|
|
# @TEST-EXEC: zeek -b -r $TRACES/http/zeek-image-post-1080-8000-x.pcap %INPUT
|
|
# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p history service < conn.log > conn.log.cut
|
|
# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p host method uri version user_agent status_code status_msg < http.log > http.log.cut
|
|
# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p analyzers mime_type sha1 < files.log > files.log.cut
|
|
# @TEST-EXEC: btest-diff conn.log.cut
|
|
# @TEST-EXEC: btest-diff http.log.cut
|
|
# @TEST-EXEC: btest-diff files.log.cut
|
|
|
|
@load base/protocols/conn
|
|
@load base/protocols/http
|
|
@load base/files/hash
|
|
|
|
event file_new(f: fa_file)
|
|
{
|
|
Files::add_analyzer(f, Files::ANALYZER_SHA1);
|
|
}
|