base/bif/plugins/Zeek_HTTP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

http_all_headers: event

Generated for HTTP headers, passing on all headers of an HTTP message at once.

http_begin_entity: event

Generated when starting to parse an HTTP body entity.

http_connection_upgrade: event

Generated when a HTTP session is upgraded to a different protocol (e.g.

http_content_type: event

Generated for reporting an HTTP body’s content type.

http_end_entity: event

Generated when finishing parsing an HTTP body entity.

http_entity_data: event

Generated when parsing an HTTP body entity, passing on the data.

http_event: event

Generated for errors found when decoding HTTP requests or replies.

http_header: event

Generated for HTTP headers.

http_message_done: event

Generated once at the end of parsing an HTTP message.

http_reply: event

Generated for HTTP replies.

http_request: event

Generated for HTTP requests.

http_stats: event

Generated at the end of an HTTP session to report statistics about it.

Detailed Interface

Events

http_all_headers
Type

event (c: connection, is_orig: bool, hlist: mime_header_list)

Generated for HTTP headers, passing on all headers of an HTTP message at once. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the header was sent by the originator of the TCP connection.

  • hlist – A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also: http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, http_connection_upgrade

Note

This event is also raised for headers found in nested body entities.

http_begin_entity
Type

event (c: connection, is_orig: bool)

Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event just before it starts parsing each entity’s content.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the entity was sent by the originator of the TCP connection.

See also: http_all_headers, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, mime_begin_entity, http_connection_upgrade

http_connection_upgrade
Type

event (c: connection, protocol: string)

Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.

Parameters
  • c – The connection.

  • protocol – The protocol to which the connection is switching.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request

http_content_type
Type

event (c: connection, is_orig: bool, ty: string, subty: string)

Generated for reporting an HTTP body’s content type. This event is generated at the end of parsing an HTTP header, passing on the MIME type as specified by the Content-Type header. If that header is missing, this event is still raised with a default value of text/plain.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the entity was sent by the originator of the TCP connection.

  • ty – The main type.

  • subty – The subtype.

See also: http_all_headers, http_begin_entity, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, http_connection_upgrade

Note

This event is also raised for headers found in nested body entities.

http_end_entity
Type

event (c: connection, is_orig: bool)

Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event at the point when it has finished parsing an entity’s content.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the entity was sent by the originator of the TCP connection.

See also: http_all_headers, http_begin_entity, http_content_type, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, mime_end_entity, http_connection_upgrade

http_entity_data
Type

event (c: connection, is_orig: bool, length: count, data: string)

Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.

A common idiom for using this event is to first reassemble the data at the scripting layer by concatenating it to a successively growing string; and only perform further content analysis once the corresponding http_end_entity event has been raised. Note, however, that doing so can be quite expensive for HTTP tranders. At the very least, one should impose an upper size limit on how much data is being buffered.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the entity was sent by the originator of the TCP connection.

  • length – The length of data.

  • data – One chunk of raw entity data.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_event, http_header, http_message_done, http_reply, http_request, http_stats, mime_entity_data, http_entity_data_delivery_size, skip_http_data, http_connection_upgrade

http_event
Type

event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding HTTP requests or replies.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • event_type – A string describing the general category of the problem found (e.g., illegal format).

  • detail – Further more detailed description of the error.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_header, http_message_done, http_reply, http_request, http_stats, mime_event, http_connection_upgrade

http_header
Type

event (c: connection, is_orig: bool, original_name: string, name: string, value: string)

Type

event (c: connection, is_orig: bool, name: string, value: string)

Generated for HTTP headers. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the header was sent by the originator of the TCP connection.

  • original_name – The name of the header (unaltered).

  • name – The name of the header (converted to all uppercase).

  • value – The value of the header.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_message_done, http_reply, http_request, http_stats, http_connection_upgrade

Note

This event is also raised for headers found in nested body entities.

http_message_done
Type

event (c: connection, is_orig: bool, stat: http_message_stat)

Generated once at the end of parsing an HTTP message. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. A “message” is one top-level HTTP entity, such as a complete request or reply. Each message can have further nested sub-entities inside. This event is raised once all sub-entities belonging to a top-level message have been processed (and their corresponding http_entity_* events generated).

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the entity was sent by the originator of the TCP connection.

  • stat – Further meta information about the message.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_reply, http_request, http_stats, http_connection_upgrade

http_reply
Type

event (c: connection, version: string, code: count, reason: string)

Generated for HTTP replies. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • version – The version number specified in the reply (e.g., 1.1).

  • code – The numerical response code returned by the server.

  • reason – The textual description returned by the server along with code.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_request, http_stats, http_connection_upgrade

http_request
Type

event (c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)

Generated for HTTP requests. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

Parameters
  • c – The connection.

  • method – The HTTP method extracted from the request (e.g., GET, POST).

  • original_URI – The unprocessed URI as specified in the request.

  • unescaped_URI – The URI with all percent-encodings decoded.

  • version – The version number specified in the request (e.g., 1.1).

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_stats, truncate_http_URI, http_connection_upgrade

http_stats
Type

event (c: connection, stats: http_stats_rec)

Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.

Parameters
  • c – The connection.

  • stats – Statistics summarizing HTTP-level properties of the finished connection.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_connection_upgrade