[Bro] Binpac http

Matt Thompson mthompson at hexwave.com
Tue Apr 3 09:36:24 PDT 2012


I'm new to binpac but really like the concept (sick of hand writing
protocol decoders). I'm working on using binpac in a project to decode
pcap files. I have http mostly working but came across a problem with
getting the response body from responses that don't have a
content-length header.

RFC2616 section 4.4 5) says that the message length can be determined by
the server closing the connection. I think that the server must use a
Connection: close header if it's going to close the connection after the
response. How can I express this in binpac? I can add another delivery
mode and set that based on the presence of the Connection: close header
but am a little unclear on how to get the rest of the flow.

I'm setting delivery_mode_ = CLOSE if Content-Length doesn't exist and
Connection: close does exist.

In HTTP_Body I've added a CLOSE -> rest: bytestring &restofflow &chunked;

I have:
refine typeattr HTTP_Body += &let {
    process_message: bool = http_body($context.connection.http_conn, body);

http_body() is never called unless there is a Content-Length.

Any thoughts?

Matt Thompson

More information about the Bro mailing list