* host
* uri
* user_agent
+ * referrer
+ * origin
* version
* status_code
* status_msg
+ * trans_depth
Value* get_host(DataEvent*, Packet*, Flow*);
Value* get_user_agent(DataEvent*, Packet*, Flow*);
Value* get_uri(DataEvent*, Packet*, Flow*);
+Value* get_referrer(DataEvent*, Packet*, Flow*);
+Value* get_origin(DataEvent*, Packet*, Flow*);
Value* get_version(DataEvent*, Packet*, Flow*);
Value* get_stat_code(DataEvent*, Packet*, Flow*);
Value* get_stat_msg(DataEvent*, Packet*, Flow*);
+Value* get_trans_depth(DataEvent*, Packet*, Flow*);
// Common
Value* get_timestamp(DataEvent*, Packet*, Flow*);
return new Value(str.c_str());
}
+Value* get_referrer(DataEvent* event, Packet*, Flow*)
+{
+ const Field& field = ((HttpTransactionEndEvent*)event)->get_referer_hdr();
+ std::string str;
+ field_to_string(field, str);
+ return new Value(str.c_str());
+}
+
+Value* get_origin(DataEvent* event, Packet*, Flow*)
+{
+ const Field& field = ((HttpTransactionEndEvent*)event)->get_origin_hdr();
+ std::string str;
+ field_to_string(field, str);
+ return new Value(str.c_str());
+}
+
Value* get_version(DataEvent* event, Packet*, Flow*)
{
HttpEnums::VersionId version = ((HttpTransactionEndEvent*)event)->get_version();
return new Value(str.c_str());
}
+Value* get_trans_depth(DataEvent* event, Packet*, Flow*)
+{
+ const uint64_t trans_depth = ((HttpTransactionEndEvent*)event)->get_trans_depth();
+ return new Value(trans_depth);
+}
+
Value* get_timestamp(DataEvent*, Packet* p, Flow*)
{
char u_sec[8];
{"host", get_host},
{"uri", get_uri},
{"user_agent", get_user_agent},
+ {"referrer", get_referrer},
+ {"origin", get_origin},
{"version", get_version},
{"status_code", get_stat_code},
{"status_msg", get_stat_msg},
+ {"trans_depth", get_trans_depth}
};
void HttpExtractorEventHandler::handle(DataEvent& event, Flow* flow)
"host",
"uri",
"user_agent",
+ "referrer",
+ "origin",
"version",
"status_code",
"status_msg",
+ "trans_depth"
},
};
HttpTransactionEndEvent::HttpTransactionEndEvent(const HttpTransaction* const trans)
: transaction(trans) { }
-const Field& HttpTransactionEndEvent::get_host_hdr() const
+const Field& HttpTransactionEndEvent::get_client_header(uint64_t sub_id) const
{
HttpMsgHeader* headers = transaction->get_header(HttpCommon::SRC_CLIENT);
if (headers == nullptr)
return Field::FIELD_NULL;
- return headers->get_classic_buffer(HttpEnums::HTTP_BUFFER_HEADER, HttpEnums::HEAD_HOST, 0);
+ return headers->get_classic_buffer(HttpEnums::HTTP_BUFFER_HEADER, sub_id, 0);
+}
+
+const Field& HttpTransactionEndEvent::get_host_hdr() const
+{
+ return get_client_header(HttpEnums::HEAD_HOST);
+}
+
+const Field& HttpTransactionEndEvent::get_user_agent() const
+{
+ return get_client_header(HttpEnums::HEAD_USER_AGENT);
+}
+
+const Field& HttpTransactionEndEvent::get_referer_hdr() const
+{
+ return get_client_header(HttpEnums::HEAD_REFERER);
+}
+
+const Field& HttpTransactionEndEvent::get_origin_hdr() const
+{
+ return get_client_header(HttpEnums::HEAD_ORIGIN);
}
const Field& HttpTransactionEndEvent::get_uri() const
return transaction->get_status()->get_reason_phrase();
}
-const Field& HttpTransactionEndEvent::get_user_agent() const
-{
- HttpMsgHeader* headers = transaction->get_header(HttpCommon::SRC_CLIENT);
- if (headers == nullptr)
- return Field::FIELD_NULL;
-
- return headers->get_classic_buffer(HttpEnums::HTTP_BUFFER_HEADER, HttpEnums::HEAD_USER_AGENT, 0);
-}
-
HttpEnums::VersionId HttpTransactionEndEvent::get_version() const
{
auto status = transaction->get_status();
return HttpEnums::VERS__NOT_PRESENT;
return status ? status->get_version_id() : transaction->get_request()->get_version_id();
}
+
+uint64_t HttpTransactionEndEvent::get_trans_depth() const
+{
+ if (transaction->get_request() != nullptr)
+ return transaction->get_request()->get_transaction_id();
+ if (transaction->get_status() != nullptr)
+ return transaction->get_status()->get_transaction_id();
+
+ return 0;
+}
const Field& get_stat_code() const;
const Field& get_stat_msg() const;
const Field& get_user_agent() const;
+ const Field& get_referer_hdr() const;
+ const Field& get_origin_hdr() const;
HttpEnums::VersionId get_version() const;
+ uint64_t get_trans_depth() const;
private:
+ const Field& get_client_header(uint64_t sub_id) const;
+
const HttpTransaction* const transaction;
};
}
HEAD_CONTENT_TYPE, HEAD_EXPIRES, HEAD_LAST_MODIFIED, HEAD_X_FORWARDED_FOR, HEAD_TRUE_CLIENT_IP,
HEAD_X_WORKING_WITH, HEAD_CONTENT_TRANSFER_ENCODING, HEAD_MIME_VERSION, HEAD_PROXY_AGENT,
HEAD_CONTENT_DISPOSITION, HEAD_HTTP2_SETTINGS, HEAD_RESTRICT_ACCESS_TO_TENANTS,
- HEAD_RESTRICT_ACCESS_CONTEXT, HEAD__MAX_VALUE };
+ HEAD_RESTRICT_ACCESS_CONTEXT, HEAD_ORIGIN, HEAD__MAX_VALUE };
// All the infractions we might find while parsing and analyzing a message
enum Infraction
&NORMALIZER_TOKEN_LIST, // HEAD_HTTP2_SETTINGS
&NORMALIZER_BASIC, // HEAD_RESTRICT_ACCESS_TO_TENANTS
&NORMALIZER_BASIC, // HEAD_RESTRICT_ACCESS_CONTEXT
+ &NORMALIZER_URI, // HEAD_ORIGIN
&NORMALIZER_BASIC, // HEAD__MAX_VALUE
&NORMALIZER_BASIC, // HEAD_CUSTOM_XFF_HEADER
&NORMALIZER_BASIC, // HEAD_CUSTOM_XFF_HEADER
{ HEAD_HTTP2_SETTINGS, "http2-settings" },
{ HEAD_RESTRICT_ACCESS_TO_TENANTS, "restrict-access-to-tenants" },
{ HEAD_RESTRICT_ACCESS_CONTEXT, "restrict-access-context" },
+ { HEAD_ORIGIN, "origin" },
{ 0, nullptr }
};
}
}
-HttpTransaction::HttpTransaction(HttpFlowData* session_data_, snort::Flow* const f): session_data(session_data_), flow(f)
+HttpTransaction::HttpTransaction(HttpFlowData* session_data_, snort::Flow* const f)
+ : session_data(session_data_), flow(f)
{
infractions[0] = nullptr;
infractions[1] = nullptr;
projects / thirdparty / snort3.git / commitdiff
