aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6d39ffc2be'
${ noResults }
suricata/libhtp/docs/QUICK_START

103 lines
4.5 KiB
Plaintext
Raw Blame History

QUICK START
-----------
LibHTP is envisioned to be many things, but the only scenario in which it has been tested
so far is that when you need to parse a duplex HTTP stream which you have obtained by
passively intercepting a communication channel. The assumption is that you have raw TCP data
(after SSL, if SSL is used).
Every parsing operation needs to follow these steps:
1. Configure-time:
1.1. Create one or more parser configuration structures.
1.2. Tweak the configuration of each parser to match the behaviour of
the server you're intercepting the communication of (htp_config_set_* functions).
1.3. Register the parser callbacks you'll need. You will need to use parser callbacks
if you want to monitor parsing events as they occur, and gain access to partial
transaction information. If you are processing data in batch (off-line) you may
simply parse entire streams at a time and only analyze complete transaction data
after the fact.
If you need to gain access to request and response bodies, your only option at
this time is to use the callbacks, because the parser will not preserve that
information.
For callback registration, look up the htp_config_register_* functions.
If your program operates in real-time then it may be desirable to dispose of
the used resources after each transaction is parsed. To do that, you are allowed
to call htp_tx_destroy() at the end of the RESPONSE callback.
2. Run-time:
2.1. Create a parser instance for every TCP stream you want to process.
2.2. Feed the parser inbound and outbound data.
The parser will typically always consume complete data chunks and return
STREAM_STATE_DATA, which means that you can continue to feed it more data
when you have it. If you have a queue of data chunks, always send the
parsed all the request chunks you have. That will ensure that the parser
never encounters a response for which it had not seen a request.
If you get STREAM_STATE_ERROR, the parser has encountered a fatal error and
is unable to continue to parse the stream. An error should never happen for
a valid HTTP stream. If you encounter such an error please send me the pcap
file for analysis.
There is one situation when the parser will not be able to consume a complete
request data chunk, in which case it will return STREAM_STATE_DATA_OTHER. You
will then need to do the following:
2.2.1. Remember how many bytes of data were consumed (using
htp_connp_req_data_consumed()).
2.2.2. Suspend request parsing until you get some response data.
2.2.3. Feed some response data to the parser.
Note that it is now possible to receive STREAM_STATE_DATA_OTHER
from the response parser. If that happens, you will need to
remember how many bytes were consumed using
htp_connp_res_data_consumed().
2.2.4. After each chunk of response data fed to the parser, attempt
to resume request stream parsing.
2.2.5. If you again receive STREAM_STATE_DATA_OTHER go back to 2.2.3.
2.2.6. At this point you should feed the parser all the request data
you have accumulated before giving it any response data. This is
necessary to prevent the case of the parser seeing more responses
than requests (which would inevitably result with an error).
2.2.7. Send unprocessed response data from 2.2.3 (if any).
2.2.8. Continue sending request/response data as normal.
The above situation should occur very rarely.
2.3. Analyze transaction data in callbacks (if any).
2.4. Analyze transaction data after an entire TCP stream has been processed.
2.4. Destroy parser instance to free up the allocated resources.
USER DATA
---------
If you're using the callbacks and you need to keep state between invocations, you have two
options:
1. Associate one opaque structure with a parser instance, using htp_connp_set_user_data().
2. Associate one opaque structure with a transaction instance, using htp_tx_set_user_data().
The best place to do this is in a TRANSACTION_START callback. Don't forget to free up
any resources you allocate on per-transaction basis, before you delete each transaction.
Reference in New Issue View Git Blame Copy Permalink