9. HTTP

9.1. Types

class http.uri.split
scheme

URI scheme.

authority

URI authority.

host

URI host.

userinfo

URI userinfo.

user

URI user (from userinfo).

pass

URI password (from userinfo).

Note

rfc 3986 states that the format “user:password” in the userinfo field is deprecated.

port

URI port.

path

URI path.

query

URI query.

args

URI query’s parameters.

fragment

URI fragment.

tostring(split_uri)

Recreate the URI.

normalize()

Normalize URI according to rfc 3986: remove dot-segments in path, capitalize letters in esape sequences, decode percent-encoded octets (safe decoding), remove default port, etc.

http.uri.split(str)

Split URI into subparts.

Example:

http.uri.split('http://www.example.com:8888/foo/page.php')
class http.uri.cookies

Store the cookies as a table of key-value pairs.

http.uri.cookies(str)

Parse the cookies.

Returns:cookies

9.2. Functions

http.uri.normalize(str)

Normalize URI according to rfc 3986.

9.3. Dissector

class http.http

Dissector data for HTTP. In addition to the usuall http-up and http-down, HTTP register two additional hooks:

  • http-request: called when a request is fully parsed.
  • http-response: called when a response is fully parsed.
request

Inside a http-request or http-response hook, the http:request table holds information about the current request.

method
uri
version

Request line elements.

headers

Headers table.

data

Stream of HTTP data.

response

Inside a http-response hook, the http:response table holds information about the current response.

Note

This table is not available inside the hook http-request.

version
status
reason

Response line elements.

headers

Headers table.

data

Stream of HTTP data.

9.4. Example

------------------------------------
-- HTTP Policy
------------------------------------

-- add custom user-agent
haka.rule{
    hooks = { 'http-request' },
    eval = function (self, http)
        http.request.headers["User-Agent"] = "Haka User-Agent"
    end
}

-- report and alert if method is different than get and post
haka.rule{
    hooks = { 'http-request' },
    eval = function (self, http)
        local method = http.request.method:lower()
        if method ~= 'get' and method ~= 'post' then
            local conn = http.connection
            haka.alert{
                description = string.format("forbidden http method '%s'", method),
                sources = haka.alert.address(conn.srcip),
                targets = {
                    haka.alert.address(conn.dstip),
                    haka.alert.service(string.format("tcp/%d", conn.dstport), "http")
                },
            }
        end
    end
}