Permalink
Browse files

Put state into connection record.

  • Loading branch information...
mavam committed Nov 9, 2011
1 parent 5002a2a commit 200cdb23298876768c4debdb100bf931c70faa0a
Showing with 20 additions and 34 deletions.
  1. +17 −30 bodies.bro
  2. +3 −4 facebook.bro
View
@@ -4,6 +4,11 @@
module HTTP;
export {
+ redef record Info += {
+ body: string &optional;
+ reassemble_body: bool &default=F;

This comment has been minimized.

Show comment Hide comment
@mavam

mavam Nov 9, 2011

Owner

The nice thing is now that you can set reassemble_body from anywhere (e.g., a http_header event where you find a specific user agent value that suggests further body inspection) and simply write a handler for http_body_complete to process the body data, which is right there waiting for you.

@mavam

mavam Nov 9, 2011

Owner

The nice thing is now that you can set reassemble_body from anywhere (e.g., a http_header event where you find a specific user agent value that suggests further body inspection) and simply write a handler for http_body_complete to process the body data, which is right there waiting for you.

+ };
+
## Flag that indicates whether to hook request bodies.
const hook_request_bodies = F &redef;
@@ -15,25 +20,12 @@ export {
## Do not buffer more than this amount of bytes per HTTP message.
const max_body_size = 50000000;
-
}
## Users write a handler for this event to process the current HTTP body.
-global http_body: event(c: connection, is_orig: bool,
- data: string, size: count);
-
-type body_info: record {
- data: string;
- size: count;
-};
-
-global bodies: table[string, bool] of body_info;
-
-function notify_and_remove_body(c: connection, is_orig: bool)
+event http_body_complete(c: connection) &priority=-5
{
- local info = bodies[c$uid, is_orig];
- event http_body(c, is_orig, info$data, info$size);
- delete bodies[c$uid, is_orig];
+ delete c$http$body;
}
event http_begin_entity(c: connection, is_orig: bool)
@@ -45,35 +37,30 @@ event http_begin_entity(c: connection, is_orig: bool)
if ( hook_host_pattern !in c$http$host )
return;
- local info: body_info;
- info$data = "";
- info$size = 0;
- bodies[c$uid, is_orig] = info;
-
- # FIXME: Type inference should work here, but it doesn't.
- #bodies[c$uid, is_orig] = ["", 0];
+ c$http$body = "";
+ c$http$reassemble_body = T;
}
event http_entity_data(c: connection, is_orig: bool, length: count,
data: string)
{
- if ( [c$uid, is_orig] !in bodies )
+ if ( ! c$http?$body )
return;
- local info = bodies[c$uid, is_orig];
- info$data += data;
- info$size += length;
+ c$http$body += data;
- if ( info$size < max_body_size )
+ if ( c$http$response_body_len < max_body_size )
return;
- notify_and_remove_body(c, is_orig);
+ c$http$reassemble_body = F;
+ event http_body_complete(c);
}
event http_end_entity(c: connection, is_orig: bool)
{
- if ( [c$uid, is_orig] !in bodies )
+ if ( ! c$http?$body )
return;
- notify_and_remove_body(c, is_orig);
+ c$http$reassemble_body = F;
+ event http_body_complete(c);
}
View
@@ -23,7 +23,6 @@ module Facebook;
export {
redef enum Log::ID += { LOG };
- ## Describes the per-connection
type Info: record {
timestamp: string &log;
chat_from: string &log;
@@ -92,13 +91,13 @@ function parse_fb_message(data: string) : ChatMessage
}
## Reassemble the HTTP body of replies and look for Facebook chat messages.
-event http_body(c: connection, is_orig: bool, data: string, size: count)
+event http_body_complete(c: connection)
{
# Only consider chat messages for now.
- if (/^for \(;;\);\{\"t\":\"msg\".*text\":\"/ !in data) #"
+ if (/^for \(;;\);\{\"t\":\"msg\".*text\":\"/ !in c$http$body) #"
return;
- local msg = parse_fb_message(data);
+ local msg = parse_fb_message(c$http$body);
local i: Info;
i$timestamp = msg$timestamp;

0 comments on commit 200cdb2

Please sign in to comment.