http¶
This module converts supported input types to ‘http’ data to be used by modules downstream.
The supported input types are:
- TCP
- sslim
The format of the ‘http’ data follows the ChopProtocol model and looks like:
http = {
type = 'http'
timestamp = #Timestamp of this specific http transaction
flowStart = #Timestamp of the tcp session
addr = <((src, sport), (dst,dport))> #quad-tuple address
serverData = {
headers = <all response headers>
status = <status code>
body = <response body>
truncated = <True|False> #Was the body truncated by this module
body_len = <full body length>
hash_fn = <md5|sha1|sha256|sha512> #What hash function was used to hash the body
body_hash = <hash of response body>
},
clientData = {
headers = <all request headers>
uri = <request uri>
method = <GET|POST| ... > #What method was used
protocol = <UNKNOWN|0.9|1.0|1.1|Error> #What protocol version was used
body = <request body>
truncated = <True|False> #Was the body truncated by this module
body_len = <full body length>
hash_fn = <md5|sha1|sha256|sha512> #What hash function was used to hash the body
body_hash = <hash of request body>
}
}
Module flags/options:
-h, --help show this help message and exit
-v, --verbose Be verbose about incoming packets and errors
-b, --no-body Do not store http bodies
-s, --suppress Suppress htpy log output
-l LENGTH, --length=LENGTH
Maximum length of bodies in bytes (Default: 5MB, set
to 0 to process all body data)
-a HASH_FUNCTION, --hash-function=HASH_FUNCTION
Hash Function to use on bodies (default 'md5',
available: 'sha1', 'sha256', 'sha512')
-p PORTS, --ports=PORTS
List of ports to check comma separated, e.g.,
"80,8080", pass an empty string "" to scan all ports
(default '80')
Notes: If http parses a transaction that exceeds the length specified (default 5MB) it will truncate the body at that point (setting truncate to True) but will continue to hash and measure the length of the body. This means that body_len and body_hash will always be indicative of what was seen in the transaction even if the body was truncated.
Every transaction received will have its own timestamp for that transaction. This value coorelates to timestamp of the packet after the headers have been processed by htpy. The flowStart value is the tcp.timestamp of the 3-way handshake.