[Bro-Dev] #959: Issue with HTTP POST file extraction

Bro Tracker bro at tracker.bro.org
Fri Mar 8 00:34:22 PST 2013


#959: Issue with HTTP POST file extraction
-----------------------------+---------------------
 Reporter:  gregoire.moreau  |       Type:  Problem
   Status:  new              |   Priority:  Low
Milestone:  Bro2.2           |  Component:  Bro
  Version:  2.1              |   Keywords:
-----------------------------+---------------------
 I've had a problem with the extraction of HTTP POST file content with
 bro2.1 stable, there's no problem with incoming content. I use a modified
 http/file-extract.bro script.

 My tests were mainly done with PDF content.

 The problem is whenever a 0x0d is found in the content, it is replaced
 with 0x0d0a.

 I've found a little workaround, but I'm not sure about all the borders
 effects it could have. Also, it may not be the good way to correct the
 problem...

 The workaround is as follow in HTTP.cc :

 *************** HTTP_Analyzer::HTTP_Analyzer(Connection*
 *** 808,813 ****
 --- 808,814 ----
       reply_reason_phrase = 0;

       content_line_orig = new ContentLine_Analyzer(conn, true);
 +     content_line_orig->SetCRLFAsEOL(CR_as_EOL & LF_as_EOL);
       AddSupportAnalyzer(content_line_orig);

 With the workaround it still add one CRLF at the end of some PDF files.

 As I wish to keep the hashes of the files it does matter :)

-- 
Ticket URL: <http://tracker.bro.org/bro/ticket/959>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list