-
Notifications
You must be signed in to change notification settings - Fork 3
/
http.bro
138 lines (119 loc) · 3.9 KB
/
http.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
@load ./main
@load base/utils/directions-and-hosts
@load base/protocols/http
module Netbase;
export {
redef record Netbase::observation += {
# HTTP observations
http_post_sent: count &default=0 &log;
http_post_recvd: count &default=0 &log;
http_get_sent: count &default=0 &log;
http_get_recvd: count &default=0 &log;
http_400_recvd: count &default=0 &log;
http_500_recvd: count &default=0 &log;
http_400_sent: count &default=0 &log;
http_500_sent: count &default=0 &log;
};
}
# Collect http request stats
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
local orig = c$id$orig_h;
local resp = c$id$resp_h;
local pkg = observables();
switch method
{
case "POST":
if ( addr_matches_host(orig, LOCAL_HOSTS) )
pkg[orig] = set([$name="http_post_sent"]);
if ( addr_matches_host(resp, LOCAL_HOSTS) )
pkg[resp] = set([$name="http_post_recvd"]);
break;
case "GET":
# do something
if ( addr_matches_host(orig, LOCAL_HOSTS) )
pkg[orig] = set([$name="http_get_sent"]);
if ( addr_matches_host(resp, LOCAL_HOSTS) )
pkg[resp] = set([$name="http_get_recvd"]);
break;
}
# See if the observable pkgs need delivering
if ( orig in pkg )
{
Netbase::SEND(orig, pkg[orig]);
}
if ( resp in pkg )
{
Netbase::SEND(resp, pkg[resp]);
}
}
# Collect HTTP server response stats
event http_reply(c: connection, version: string, code: count, reason: string)
{
local orig = c$id$orig_h;
local resp = c$id$resp_h;
local pkg = observables();
# check for client-generated errors
if ( /^4/ in cat(code))
{
if ( addr_matches_host(orig, LOCAL_HOSTS) )
pkg[orig] = set([$name="http_400_recvd"]);
if ( addr_matches_host(resp, LOCAL_HOSTS) )
pkg[resp] = set([$name="http_400_sent"]);
}
# check for server-side errors
else if ( /^5/ in cat(code))
{
if ( addr_matches_host(orig, LOCAL_HOSTS) )
pkg[orig] = set([$name="http_500_recvd"]);
if ( addr_matches_host(resp, LOCAL_HOSTS) )
pkg[resp] = set([$name="http_500_sent"]);
}
# See if the observable pkgs need delivering
if ( orig in pkg )
{
Netbase::SEND(orig, pkg[orig]);
}
if ( resp in pkg )
{
Netbase::SEND(resp, pkg[resp]);
}
}
# Handler to load observables into the observations table
# This event is executed every time a node calls the SEND()
# function.
@if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::PROXY )
event Netbase::add_observables(ip: addr, obs: set[observable])
{
for ( o in obs )
{
switch o$name
{
case "http_post_sent":
++observations[ip]$http_post_sent;
break;
case "http_post_recvd":
++observations[ip]$http_post_recvd;
break;
case "http_get_sent":
++observations[ip]$http_get_sent;
break;
case "http_get_recvd":
++observations[ip]$http_get_recvd;
break;
case "http_400_recvd":
++observations[ip]$http_400_recvd;
break;
case "http_500_recvd":
++observations[ip]$http_500_recvd;
break;
case "http_400_sent":
++observations[ip]$http_400_sent;
break;
case "http_500_sent":
++observations[ip]$http_500_sent;
break;
}
}
}
@endif