base/protocols/http/entities.zeek

HTTP

Analysis and logging for MIME entities found in HTTP sessions.

Namespace:HTTP
Imports:base/frameworks/files, base/protocols/http/main.zeek, base/utils/files.zeek, base/utils/strings.zeek

Summary

Runtime Options

HTTP::max_files_orig: count &redef Maximum number of originator files to log.
HTTP::max_files_resp: count &redef Maximum number of responder files to log.

Redefinitions

HTTP::Info: record
New Fields:

HTTP::Info

orig_fuids: vector of string &log &optional

An ordered vector of file unique IDs.

orig_filenames: vector of string &log &optional

An ordered vector of filenames from the client.

orig_mime_types: vector of string &log &optional

An ordered vector of mime types.

resp_fuids: vector of string &log &optional

An ordered vector of file unique IDs.

resp_filenames: vector of string &log &optional

An ordered vector of filenames from the server.

resp_mime_types: vector of string &log &optional

An ordered vector of mime types.

current_entity: HTTP::Entity &optional

The current entity.

orig_mime_depth: count &default = 0 &optional

Current number of MIME entities in the HTTP request message body.

resp_mime_depth: count &default = 0 &optional

Current number of MIME entities in the HTTP response message body.

fa_file: record &redef
New Fields:

fa_file

http: HTTP::Info &optional

Hooks

HTTP::max_files_policy: hook Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp.

Detailed Interface

Runtime Options

HTTP::max_files_orig
Type:count
Attributes:&redef
Default:15

Maximum number of originator files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

HTTP::max_files_resp
Type:count
Attributes:&redef
Default:15

Maximum number of responder files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

Types

HTTP::Entity
Type:

record

filename: string &optional

Filename for the entity if discovered from a header.

Hooks

HTTP::max_files_policy
Type:hook (f: fa_file, is_orig: bool) : bool

Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp. Break from the hook early to signal that the file limit should not be applied.