9. HTTP

9.1. Types

class http.uri.split

scheme

URI scheme.

authority

URI authority.

host

URI host.

userinfo

URI userinfo.

user

URI user (from userinfo).

pass

URI password (from userinfo).

Note

rfc 3986 states that the format “user:password” in the userinfo field is deprecated.

port

URI port.

path

URI path.

query

URI query.

args

URI query’s parameters.

fragment

URI fragment.

tostring(split_uri)

Recreate the URI.

normalize()

Normalize URI according to rfc 3986: remove dot-segments in path, capitalize letters in esape sequences, decode percent-encoded octets (safe decoding), remove default port, etc.

http.uri.split(str)

Split URI into subparts.

Example:

http.uri.split('http://www.example.com:8888/foo/page.php')

class http.uri.cookies

Store the cookies as a table of key-value pairs.

http.uri.cookies(str)

Parse the cookies.

Returns:cookies

9.2. Functions

http.uri.normalize(str)

Normalize URI according to rfc 3986.

See also

split:normalize()

9.3. Dissector

class http.http

Dissector data for HTTP. In addition to the usuall http-up and http-down, HTTP register two additional hooks:

• http-request: called when a request is fully parsed.
• http-response: called when a response is fully parsed.

See also

haka.dissector_data.

request

Inside a http-request or http-response hook, the http:request table holds information about the current request.

method

uri

version

Request line elements.

headers

Headers table.

data

Stream of HTTP data.

response

Inside a http-response hook, the http:response table holds information about the current response.

Note

This table is not available inside the hook http-request.

version

status

reason

Response line elements.

headers

Headers table.

data

Stream of HTTP data.

9.4. Example

------------------------------------
-- HTTP Policy
------------------------------------

-- add custom user-agent
haka.rule{
    hooks = { 'http-request' },
    eval = function (self, http)
        http.request.headers["User-Agent"] = "Haka User-Agent"
    end
}

-- report and alert if method is different than get and post
haka.rule{
    hooks = { 'http-request' },
    eval = function (self, http)
        local method = http.request.method:lower()
        if method ~= 'get' and method ~= 'post' then
            local conn = http.connection
            haka.alert{
                description = string.format("forbidden http method '%s'", method),
                sources = haka.alert.address(conn.srcip),
                targets = {
                    haka.alert.address(conn.dstip),
                    haka.alert.service(string.format("tcp/%d", conn.dstport), "http")
                },
            }
        end
    end
}