mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 10:38:20 +00:00
69 lines
1.7 KiB
Text
69 lines
1.7 KiB
Text
##! Add "extended" information to the base HTTP analysis.
|
|
|
|
@load http/base
|
|
|
|
module HTTP;
|
|
|
|
export {
|
|
## This setting changes if passwords used in Basic-Auth are captured or not.
|
|
const default_capture_password = F &redef;
|
|
|
|
redef record Info += {
|
|
## The username if basic-auth is performed for the request.
|
|
username: string &log &optional;
|
|
## The password if basic-auth is performed for the request.
|
|
password: string &log &optional;
|
|
|
|
## This determines if the password will be captured for this request.
|
|
capture_password: bool &default=default_capture_password;
|
|
|
|
## All of the headers that may indicate if the request was proxied.
|
|
proxied: set[string] &log &optional;
|
|
};
|
|
|
|
## The list of HTTP headers typically used to indicate a proxied request.
|
|
const proxy_headers: set[string] = {
|
|
"FORWARDED",
|
|
"X-FORWARDED-FOR",
|
|
"X-FORWARDED-FROM",
|
|
"CLIENT-IP",
|
|
"FROM",
|
|
"VIA",
|
|
"XROXY-CONNECTION",
|
|
"PROXY-CONNECTION",
|
|
} &redef;
|
|
}
|
|
|
|
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2
|
|
{
|
|
if ( is_orig ) # client headers
|
|
{
|
|
if ( name in proxy_headers )
|
|
{
|
|
if ( ! c$http?$proxied )
|
|
c$http$proxied = set();
|
|
add c$http$proxied[fmt("%s -> %s", name, value)];
|
|
}
|
|
|
|
else if ( name == "AUTHORIZATION" )
|
|
{
|
|
if ( /^[bB][aA][sS][iI][cC] / in value )
|
|
{
|
|
local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, ""));
|
|
local up = split(userpass, /:/);
|
|
if ( |up| >= 2 )
|
|
{
|
|
c$http$username = up[1];
|
|
if ( c$http$capture_password )
|
|
c$http$password = up[2];
|
|
}
|
|
else
|
|
{
|
|
c$http$username = "<problem-decoding>";
|
|
if ( c$http$capture_password )
|
|
c$http$password = userpass;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|