[Bro] Persistent Connections

Marc Giannoni - NOAA Affiliate marc.giannoni at noaa.gov
Tue Jun 17 06:34:07 PDT 2014 

Hello!

I am attempting to use BRO to decode back-end SOAP interactions.  I have a
script to assemble the HTTP bodies, and I am able to log SOAP elements from
the HTTP body events.  My problem is that the back-end uses persistent
connections, and I end up missing transactions whenever I re-start BRO.
 The decoder is never triggered because the connection already exists.

I'm uninterested in the TCP handshake, I just need to capture the HTTP
protocol to a specific back-end server-address and port.



##! This script reassembles full HTTP bodies and raises an event with the

##!

##! complete contents.


> module HTTP;


> export {

    ## Flag that indicates whether to hook request bodies.

    const hook_request_bodies = T &redef;


>     ## Flag that indicates whether to hook reply bodies.

    const hook_reply_bodies = T &redef;


>     ## The pattern applies

    const hook_host_pattern = /.*/ &redef;


>     ## Do not buffer more than this amount of bytes per HTTP message.

    ##const max_body_size = 50000000;

    const max_body_size = 500000;


> }


> ## Users write a handler for this event to process the current HTTP body.

global http_body: event(c: connection, is_orig: bool,

                        data: string, size: count);


> type body_info: record {

    data: string;

    size: count;

};


> global bodies: table[string, bool] of body_info;


> function notify_and_remove_body(c: connection, is_orig: bool)

    {

    local info = bodies[c$uid, is_orig];

    event http_body(c, is_orig, info$data, info$size);

    delete bodies[c$uid, is_orig];

    }


> event http_begin_entity(c: connection, is_orig: bool)

    {

    if ( (is_orig && ! hook_request_bodies) ||

         (! is_orig && ! hook_reply_bodies) )

        return;


> #    if ( hook_host_pattern !in c$http$host )

#        return;


>     local info: body_info;

    info$data = "";

    info$size = 0;

    bodies[c$uid, is_orig] = info;


>     # FIXME: Type inference should work here, but it doesn't.

    #bodies[c$uid, is_orig] = ["", 0];

    }


> event http_entity_data(c: connection, is_orig: bool, length: count,

                       data: string)

    {

    if ( [c$uid, is_orig] !in bodies )

        return;


>     local info = bodies[c$uid, is_orig];

    info$data += data;

    info$size += length;


>     if ( info$size < max_body_size )

        return;


>     notify_and_remove_body(c, is_orig);

    }


> event http_end_entity(c: connection, is_orig: bool)

    {

    if ( [c$uid, is_orig] !in bodies )

        return;


>     notify_and_remove_body(c, is_orig);

    }




Cheers!
Marc Giannoni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140617/0f34ea78/attachment.html

More information about the Bro mailing list