base/protocols/http/entities.zeek

HTTP

Analysis and logging for MIME entities found in HTTP sessions.

Namespace

HTTP

Imports

base/frameworks/files, base/frameworks/notice/weird.zeek, base/protocols/http/main.zeek, base/utils/files.zeek, base/utils/strings.zeek

Summary

Runtime Options

HTTP::max_files_orig: count &redef

Maximum number of originator files to log.

HTTP::max_files_resp: count &redef

Maximum number of responder files to log.

Types

HTTP::Entity: record

Redefinitions

HTTP::Info: record

New Fields

HTTP::Info

orig_fuids: vector of string &log &optional

An ordered vector of file unique IDs.

orig_filenames: vector of string &log &optional

An ordered vector of filenames from the client.

orig_mime_types: vector of string &log &optional

An ordered vector of mime types.

resp_fuids: vector of string &log &optional

An ordered vector of file unique IDs.

resp_filenames: vector of string &log &optional

An ordered vector of filenames from the server.

resp_mime_types: vector of string &log &optional

An ordered vector of mime types.

current_entity: HTTP::Entity &optional

The current entity.

orig_mime_depth: count &default = 0 &optional

Current number of MIME entities in the HTTP request message body.

resp_mime_depth: count &default = 0 &optional

Current number of MIME entities in the HTTP response message body.

fa_file: record &redef

New Fields

fa_file

http: HTTP::Info &optional

Hooks

HTTP::max_files_policy: hook

Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp.

Detailed Interface

Runtime Options

HTTP::max_files_orig
Type

count

Attributes

&redef

Default

15

Maximum number of originator files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

HTTP::max_files_resp
Type

count

Attributes

&redef

Default

15

Maximum number of responder files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

Types

HTTP::Entity
Type

record

filename: string &optional

Filename for the entity if discovered from a header.

Hooks

HTTP::max_files_policy
Type

hook (f: fa_file, is_orig: bool) : bool

Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp. Break from the hook early to signal that the file limit should not be applied.