Next: , Previous: http Analyzer, Up: http Analyzer



7.17.1 http variables

sensitive_URIs : pattern
Any HTTP method (e.g., GET, HEAD, POST) specifying a URI that matches this pattern is flagged as sensitive.

Default: URIs with /etc/passwd or /etc/shadow embedded in them, or /cfdocs/expeval (used in some Cold Fusion exploits). Note: This latter generates some false hits; it's mainly included just to convey the notion of looking for direct attacks rather than attacks used to exploit sensitive files like the first ones.

Deficiency: It would be very handy to have variables providing hooks for more context when considering whether a particular access is sensitive, such as whether the request was inbound or outbound.

sensitive_post_URIs : pattern
Any POST method specifying a URI that matches this pattern is flagged as sensitive.

Default: URIs with wwwroot embedded in them.

In addition, http_log holds the name of the HTTP log file to which Bro writes HTTP session summaries. It defaults to open_log_file("http").

Here we show an example of what entries in this file look like:

     972482763.371224 %1596 start 200.241.229.80 > 131.243.2.12
     %1596 GET /ITG.hm.pg.docs/dissect/portuguese/dissect.html
     %1596 GET /vfrog/bottom.icon.gif
     %1596 GET /vfrog/top.icon.gif
     %1596 GET /vfrog/movies/off.gif
     %1596 GET /vfrog/new.frog.small.gif

Here we see a transcript of the 1596th HTTP session seen since Bro started running. The first line gives its start time and the participating hosts. The next five lines all correspond to GET methods retrieving different items from the Web server. Deficiency: Bro can't log whether the retrievals succeeded or failed because it doesn't yet have an HTTP reply analyzer.

The corresponding lines in the red file look like:

         972482762.872695 481.551 http 441 5040 131.243.2.12 200.241.229.80
             S3 X %10596
         972482764.686470 18.7611 http 596 7712 131.243.2.12 200.241.229.80
             S3 X %10596
         972482764.685047 ? http 603 2959 131.243.2.12 200.241.229.80
             S1 X %10596

That there are three rather than five reflects (i) that the client used persistent HTTP, and so didn't need one connection per item, but also (ii) the client used three parallel connections (the maximum the standard allows is only two) to fetch the items more quickly. As with FTP sessions, the %10596 addl annotation lets you correlate the red entries with the log entries.

Note: All three of the connections wound up in unusual states. The first two are in state S3, which, as indicated by Table 7.3, means that the responder (in this case, the Web server) attempted to close the connection, but their was no reply from the originator. The last is in state S1, indicating that neither side attempted to close the connection (which is why no duration is listed for the connection).