mirror of
https://github.com/zeek/zeek.git
synced 2025-10-12 11:38:20 +00:00
c8103dd963
This adds a signatures/http-body-match btest to verify how the signature framework matches HTTP body in requests and responses. It currently fails because the 'http-request-body' and 'http-reply-body' clauses never match anything when there is a '$' in their regular expressions. The other pattern clauses such as the 'payload' clause do not suffer from that restriction and it is not documented as a limitation of HTTP body pattern clauses either, so it is probably a bug. The "http-body-match" btest shows that without a fix any signatures which ends with a '$' in a http-request-body or http-reply-body rule will never raise a signature_match() event, and that signatures which do not end with a '$' cannot distinguish an HTTP body prefixed by the matching pattern (ex: ABCD) from an HTTP body consisting entirely of the matching pattern (ex: AB). Test cases by source port: - 13579: - GET without body, plain res body (CD, only) - 13578: - GET without body, plain res body (CDEF, prefix) - 24680: - POST plain req body (AB, only), plain res body (CD, only) - 24681: - POST plain req body (ABCD, prefix), plain res body (CDEF, prefix) - 24682: - POST gzipped req body (AB, only), gzipped res body (CD, only) - POST plain req body (CD, only), plain res body (EF, only) - 33210: - POST multipart plain req body (AB;CD;EF, prefix) - plain res body (CD, only) - 33211: - POST multipart plain req body (ABCD;EF, prefix) - plain res body (CDEF, prefix) - 34527: - POST chunked gzipped req body (AB, only) - chunked gzipped res body (CD, only) - 34528: - POST chunked gzipped req body (ABCD, prefix) - chunked gzipped res body (CDEF, prefix) The tests with source ports 24680, 24682 and 34527 should match the signature http_request_body_AB_only and the signature http_request_body_AB_prefix, but they only match the latter. The tests with source ports 13579, 24680, 24682, 33210 and 34527 should match the signature http_response_body_CD_only and the signature http_response_body_CD_prefix, but they only match the latter. The tests with source ports 24680, 24681, 33210 and 33211 show how the http_request_body_AB_then_CD signature with two http-request-body conditions match either on one or multiple requests (documented behaviour). The test cases with other source ports show where the http_request_body_AB_only and http_response_body_CD_only signatures should not match because their bodies include more than the searched patterns. |
||
|---|---|---|
| .. | ||
| 100-continue.trace | ||
| 206_example_a.pcap | ||
| 206_example_b.pcap | ||
| 206_example_c.pcap | ||
| 1000-requests-one-dropped-response.pcap.gz | ||
| basic-auth-with-extra-space.trace | ||
| bro.org-filtered.pcap | ||
| bro.org.pcap | ||
| byteranges.trace | ||
| concurrent-range-requests-complete.pcap | ||
| concurrent-range-requests.pcap | ||
| connect-with-header.trace | ||
| connect-with-smtp.trace | ||
| content-range-gap-skip.trace | ||
| content-range-gap.trace | ||
| content-range-less-than-len.pcap | ||
| curl_http_09.pcap | ||
| entity_gap.trace | ||
| entity_gap2.trace | ||
| fake-content-length.pcap | ||
| flash-version.trace | ||
| get-gzip.trace | ||
| get.trace | ||
| get_nosyn.trace | ||
| http-09-content-length-confusion.pcap | ||
| http-11-request-then-cruft.pcap | ||
| http-bad-content-range-01.pcap | ||
| http-bad-request-with-version.trace | ||
| http-body-match.pcap | ||
| http-desync-request-response-5.pcap | ||
| http-filename.pcap | ||
| http-large-gap.pcap | ||
| http-post-large.pcap | ||
| http_09.pcap | ||
| http_large_req_8001.pcap | ||
| interleaved-http-entity.pcap | ||
| methods.trace | ||
| missing-zlib-header.pcap | ||
| multipart-form-data.pcap | ||
| multipart.trace | ||
| no-uri.pcap | ||
| no-version.pcap | ||
| no_crlf.pcap | ||
| percent-end-of-line.pcap | ||
| pipelined-requests.trace | ||
| post.trace | ||
| proxy.pcap | ||
| putty-upload.pcap | ||
| version-mismatch.pcap | ||
| websocket.pcap | ||
| x-gzip.pcap | ||
| zero-length-bodies-with-drops.pcap | ||