Skip to content

Commit

Permalink
If a http header went across two packets the leading piece would be c…
Browse files Browse the repository at this point in the history 
…hopped
  • Loading branch information
@awick
awick committed Jun 30, 2014
1 parent f145920 commit 0f33d60
Show file tree
Hide file tree
Showing 4 changed files with 217 additions and 7 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
- freeSpaceG now supports a percentage
- Show up to 25 items of each SPI data field with a ...
to show more (issue #262)
- If a http header went across two packets the leading piece
would be chopped

0.11.0 2014/05/08
- BREAKING: elasticsearch 0.90.7 or newer required, recommend 0.90.12+,
Expand Down
14 changes: 7 additions & 7 deletions capture/parsers/http.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -338,13 +338,6 @@ moloch_hp_cb_on_header_field (http_parser *parser, const char *at, size_t length
LOG("HTTPDEBUG: which: %d field: %.*s", session->which, (int)length, at);
#endif

if ((http->inHeader & (1 << session->which)) == 0) {
http->inValue |= (1 << session->which);
if (http->urlString && parser->status_code == 0 && pluginsCbs & MOLOCH_PLUGIN_HP_OU) {
moloch_plugins_cb_hp_ou(session, parser, http->urlString->str, http->urlString->len);
}
}

if (http->inValue & (1 << session->which)) {
http->inValue &= ~(1 << session->which);

Expand All @@ -355,6 +348,13 @@ moloch_hp_cb_on_header_field (http_parser *parser, const char *at, size_t length
}
}

if ((http->inHeader & (1 << session->which)) == 0) {
http->inHeader |= (1 << session->which);
if (http->urlString && parser->status_code == 0 && pluginsCbs & MOLOCH_PLUGIN_HP_OU) {
moloch_plugins_cb_hp_ou(session, parser, http->urlString->str, http->urlString->len);
}
}

size_t remaining = sizeof(http->header[session->which]) - strlen(http->header[session->which]) - 1;
if (remaining > 0)
strncat(http->header[session->which], at, MIN(length, remaining));
Expand Down
Binary file added tests/http-wrapped-header.pcap
View file
Binary file not shown.
208 changes: 208 additions & 0 deletions tests/http-wrapped-header.test
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,208 @@
{
"packets" : [
{
"body" : {
"ua" : [
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"
],
"test" : {
"number" : [
33554442
],
"ip" : [
167772161
],
"ip-asn" : [
"AS0000 This is neat"
],
"string" : [
"16777226:61462,33554442:80"
],
"ip-geo" : [
"RUS"
],
"ip-rir" : [
""
]
},
"db2" : 706,
"db" : 4119,
"no" : "test",
"ho" : [
"xxxxx.xxxxxxxx.xxxxxxxxxx.xxx"
],
"lp" : 1404135330,
"a2" : "10.0.0.2",
"http" : {
"method-term-cnt" : 1,
"method-term" : [
"GET"
],
"statuscode" : [
200
],
"statuscode-cnt" : 1,
"bodymagic-term" : [
"image/gif"
],
"bodymagic-term-cnt" : 1
},
"ss" : 1,
"hsvercnt" : 1,
"ta" : [
"dstip",
"http:content:image/gif",
"http:method:GET",
"http:statuscode:200",
"node:test",
"protocol:http",
"srcip",
"tcp"
],
"hpath" : [
"/x/xx/xxxxxxxxxxxxxxxxxxx/x/xxxxxx/xxxxxxxxxxxxxxx"
],
"pa1" : 7,
"fpd" : 1404135320459,
"fs" : [],
"by2" : 1002,
"g1" : "RUS",
"hvalcnt" : 14,
"hsver" : [
"1.1"
],
"pa2" : 5,
"uscnt" : 1,
"hocnt" : 1,
"p1" : 61462,
"by" : 4813,
"as1" : "AS0000 This is neat",
"g2" : "CAN",
"pr" : 6,
"ps" : [
24,
102,
180,
256,
1496,
2444,
2520,
3760,
4025,
4101,
4877,
4953
],
"prot-term-cnt" : 2,
"hpathcnt" : 1,
"hkey" : [
"v17",
"events",
"xxx",
"ns",
"pageName",
"v1",
"x",
"v2",
"products",
"AQE",
"vmf",
"r",
"c49",
"ce",
"g"
],
"hh2" : [
"http:header:access-control-allow-origin",
"http:header:cache-control",
"http:header:connection",
"http:header:content-length",
"http:header:content-type",
"http:header:date",
"http:header:etag",
"http:header:expires",
"http:header:keep-alive",
"http:header:last-modified",
"http:header:p3p",
"http:header:pragma",
"http:header:server",
"http:header:set-cookie",
"http:header:vary",
"http:header:x-c",
"http:header:xserver"
],
"lpd" : 1404135330336,
"fp" : 1404135320,
"as2" : "AS0001 Cool Beans!",
"hkeycnt" : 15,
"hmd5cnt" : 1,
"hh2cnt" : 17,
"pa" : 12,
"tacnt" : 8,
"sl" : 9877,
"fb1" : "474554202f782f78",
"us" : [
"//xxxxx.xxxxxxxx.xxxxxxxxxx.xxx/x/xx/xxxxxxxxxxxxxxxxxxx/x/xxxxxx/xxxxxxxxxxxxxxx?xxx=1&xxx=1&x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&vmf=xxxxxxxxxx.xxx.xxx.xxx&ce=UTF-8&ns=xxxxxxxxxx&pageName=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&g=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.jsp&r=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&events=xxxxxxxxxxxxxxxxxxxxxxxxxxx&products=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&v1=xxxxxxxxxxxxxxx&v2=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&v17=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&c49=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&AQE=1"
],
"hh1" : [
"http:header:accept",
"http:header:accept-encoding",
"http:header:accept-language",
"http:header:connection",
"http:header:cookie",
"http:header:host",
"http:header:referer",
"http:header:user-agent"
],
"a1" : "10.0.0.1",
"fb2" : "485454502f312e31",
"db1" : 3413,
"hmd5" : [
"ad480fd0732d0f6f1a8b06359e3a42bb"
],
"hdrs" : {
"hreq-referercnt" : 1,
"hreq-referer" : [
"http://www.xxxxxxxxxx.xxx/xx/xxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxx.jsp"
]
},
"by1" : 3811,
"hh1cnt" : 8,
"p2" : 80,
"rir2" : "TEST",
"hdvercnt" : 1,
"prot-term" : [
"http",
"tcp"
],
"hdver" : [
"1.1"
],
"hval" : [
"xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xxxxxxxxxxxxxxx",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"UTF-8",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xxxxxxxxxx.xxx.xxx.xxx",
"xxxxxxxxxx",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"1",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.jsp"
],
"uacnt" : 1
},
"header" : {
"index" : {
"_index" : "sessions-140630",
"_type" : "session"
}
}
}
]
}

0 comments on commit 0f33d60

Please sign in to comment.