entities.zeek¶

HTTP¶

Analysis and logging for MIME entities found in HTTP sessions.

Namespace: HTTP
Imports: base/frameworks/files, base/frameworks/notice/weird.zeek, base/protocols/http/main.zeek, base/utils/files.zeek, base/utils/strings.zeek

Summary¶

Runtime Options¶

`HTTP::max_files_orig`: `count` `&redef`	Maximum number of originator files to log.
`HTTP::max_files_resp`: `count` `&redef`	Maximum number of responder files to log.

Types¶

HTTP::Entity: record

Redefinitions¶

HTTP::Info: record

New Fields

HTTP::Info

orig_fuids: vector of string &log &optional: An ordered vector of file unique IDs.
orig_filenames: vector of string &log &optional: An ordered vector of filenames from the client.
orig_mime_types: vector of string &log &optional: An ordered vector of mime types.
resp_fuids: vector of string &log &optional: An ordered vector of file unique IDs.
resp_filenames: vector of string &log &optional: An ordered vector of filenames from the server.
resp_mime_types: vector of string &log &optional: An ordered vector of mime types.
current_entity: HTTP::Entity &optional: The current entity.
orig_mime_depth: count &default = 0 &optional: Current number of MIME entities in the HTTP request message body.
resp_mime_depth: count &default = 0 &optional: Current number of MIME entities in the HTTP response message body.

fa_file: record &redef

New Fields

fa_file

http: HTTP::Info &optional

Hooks¶

HTTP::max_files_policy: hook

Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp.

Detailed Interface¶

Runtime Options¶

HTTP::max_files_orig ¶

Type: count
Attributes: &redef
Default: 15

Maximum number of originator files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

HTTP::max_files_resp ¶

Type: count
Attributes: &redef
Default: 15

Maximum number of responder files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

Types¶

HTTP::Entity ¶

Type

record

filename: string &optional: Filename for the entity if discovered from a header.

Hooks¶

HTTP::max_files_policy ¶

Type: hook (f: fa_file, is_orig: bool) : bool

Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp. Break from the hook early to signal that the file limit should not be applied.