Persistent Connections

Marc_Giannoni_NOAA_A · June 17, 2014, 1:34pm

Hello!

I am attempting to use BRO to decode back-end SOAP interactions. I have a script to assemble the HTTP bodies, and I am able to log SOAP elements from the HTTP body events. My problem is that the back-end uses persistent connections, and I end up missing transactions whenever I re-start BRO. The decoder is never triggered because the connection already exists.

I’m uninterested in the TCP handshake, I just need to capture the HTTP protocol to a specific back-end server-address and port.

##! This script reassembles full HTTP bodies and raises an event with the

##!

##! complete contents.

module HTTP;

export {

Flag that indicates whether to hook request bodies.

const hook_request_bodies = T &redef;

Flag that indicates whether to hook reply bodies.

const hook_reply_bodies = T &redef;

The pattern applies

const hook_host_pattern = /.*/ &redef;

Do not buffer more than this amount of bytes per HTTP message.

##const max_body_size = 50000000;

const max_body_size = 500000;

}

Users write a handler for this event to process the current HTTP body.

global http_body: event(c: connection, is_orig: bool,

data: string, size: count);

type body_info: record {

data: string;

size: count;

};

global bodies: table[string, bool] of body_info;

function notify_and_remove_body(c: connection, is_orig: bool)

{

local info = bodies[c$uid, is_orig];

event http_body(c, is_orig, info$data, info$size);

delete bodies[c$uid, is_orig];

}

event http_begin_entity(c: connection, is_orig: bool)

{

if ( (is_orig && ! hook_request_bodies) ||

(! is_orig && ! hook_reply_bodies) )

return;

if ( hook_host_pattern !in c$http$host )

return;

local info: body_info;

info$data = “”;

info$size = 0;

bodies[c$uid, is_orig] = info;

FIXME: Type inference should work here, but it doesn’t.

#bodies[c$uid, is_orig] = [“”, 0];

}

event http_entity_data(c: connection, is_orig: bool, length: count,

data: string)

{

if ( [c$uid, is_orig] !in bodies )

return;

local info = bodies[c$uid, is_orig];

info$data += data;

info$size += length;

if ( info$size < max_body_size )

return;

notify_and_remove_body(c, is_orig);

}

event http_end_entity(c: connection, is_orig: bool)

{

if ( [c$uid, is_orig] !in bodies )

return;

notify_and_remove_body(c, is_orig);

}

Cheers!
Marc Giannoni

Topic		Replies	Views
http_request event Zeek	4	58	May 6, 2022
Questions about Bro Capabilities Zeek	12	67	May 6, 2022
Option to make Bro willing to decode http sessions not preceded by tcp handshake? Zeek	3	62	May 6, 2022
Implementing a new script Zeek	2	60	May 6, 2022
Help with bro Zeek	4	65	May 6, 2022

Persistent Connections

Flag that indicates whether to hook request bodies.

Flag that indicates whether to hook reply bodies.

The pattern applies

Do not buffer more than this amount of bytes per HTTP message.

Users write a handler for this event to process the current HTTP body.

if ( hook_host_pattern !in c$http$host )

return;

FIXME: Type inference should work here, but it doesn’t.

Related Topics