isc.sensor.parser
Class HttpParser

java.lang.Object
  extended by java.lang.Thread
      extended by isc.sensor.parser.AbstractParser
          extended by isc.sensor.parser.HttpParser
All Implemented Interfaces:
java.lang.Runnable

public class HttpParser
extends AbstractParser

A simple HTTP Protocol application parser. Output can be both HTTP packet detail information and HTTP Session summary information, which is driven by the configuration file

Configuration attributes required for this parser:

  1. HttpParser.Ports - The list of ports this parser will operate on. multiple ports are comma seperated.
  2. HttpParser.Flags - The tcpflags which contain data to parse. multiple flags are comma seperated.
  3. HttpParser.OutputSummary - true/False To output HTTP session summary
  4. HttpParser.OutputDetail - true/False to output HTTP packet detail

example:
registers this parser to be loaded for use with TCP and UDP. The parser will register it's ports for 80, 8008 and 8080. For TCP, this parser will recieve packets (ACK/PSH) 24 and (ACK) 16 flags. This parser will output both session summary records and packet detail records (definition of the records are defined within this module).

   -------  server's config.cfg file -------------
 !=====================================================================
 ! Define the Application Parser Methods and Classes
 !=====================================================================
 ! Semicolon seperated list of classes to load
 
 AppLayerTCP.Parsers=isc.sensor.parser.HttpParser
 AppLayerUDP.Parsers=isc.sensor.parser.HttpParser
 
 ! HTTP Parser specifics
 HttpParser.Ports=80,8008,8080
 HttpParser.Flags=24,16
 HttpParser.OutputSummary=true
 HttpParser.OutputDetail=true
 -----------------------------------------------
 

Data Dictionary

  1. HTTPSummary - Summary of the session after all packets have been processed
  2. HTTPDetail - Detail of each packets processed
            HTTPSummary                      HTTPDetail
 attribute       type                attribute     type      
 startTime       java.sql.Timestamp  packetTime       java.sql.Timestamp
 sensorName      String              sensorName      String
 interface_f1    String              interface       String
 interface_f2    String              sessionKey      String
 sessionKey      String              protoNam        String
 duration        Long                srcAddr         String
 protoNam        String              srcPort         Integer
 clientAddr      String              dstAddr         String
 clientPort      Integer             dstPort         Integer
 serverAddr      String            pktLen          Integer
 serverPort      Integer             referer         String
 status          String              method          String
 serviceName     String              host            String
 packetsSent     Long                response        String
 packetsRecv     Long
 dataSent        Long
 dataRecv        Long
 retryPktSent    Long
 retryPktRecv    Long
 hostName        String
 numRequests     Integer
 maxURLSize      Integer
 agentType       String
 

Author:
John Casey
  • DNA_sensor - Aug 12, 2005
  • See Also:
    AppProperties, AbstractParsers, PacketEvent

    Nested Class Summary
     class HttpParser.HttpSummary
               
     
    Nested classes/interfaces inherited from class isc.sensor.parser.AbstractParser
    AbstractParser.ParserState
     
    Nested classes/interfaces inherited from class java.lang.Thread
    java.lang.Thread.State, java.lang.Thread.UncaughtExceptionHandler
     
    Field Summary
    protected  java.lang.String host
              temp holds the packet http host
    protected  OAObjectManager httpDetailObj
              output adaptor for HTTPDetail
    protected  OAObjectManager httpSumObj
              output adaptor for HTTPSummary
    protected static org.apache.log4j.Logger log
              log4j
    protected  java.lang.String method
              temp holds the packet http method
    protected  java.lang.String referer
              temp holds the packet http referer
    protected  java.lang.String response
              temp holds the packet http response
     
    Fields inherited from class isc.sensor.parser.AbstractParser
    flushCtr, PARSER_WORKQUEUE_SZ, parserState, props, readyState, TCP, UDP, workQueue
     
    Fields inherited from class java.lang.Thread
    MAX_PRIORITY, MIN_PRIORITY, NORM_PRIORITY
     
    Constructor Summary
    HttpParser()
               
     
    Method Summary
    protected  void close()
              Call from the AbstractParser to close all open output channels.
    protected  void closeSession(SessionBean ses)
              Call from the AbstractParser to set the session as closed and wait for the "write".
    protected  void doDetail(PacketEvent ev, java.lang.String[] t)
              Parse a packet for detailed writing
    protected  void doSummary(PacketEvent ev, java.lang.String[] t)
              Parser a packet for summary writing
     void init(int protocol)
              Call from AbstractParser to initialize of the new parser.
    protected  java.lang.String isClientMethod(java.lang.String t)
              Determine if String is from an HTTP Client
    protected  void open()
              Call from AbstractParser to open all channels.
    protected  void parse(PacketEvent ev)
              Parse the incomming packet if it contains an HTTP header.
    protected  void writeOutDetail(PacketEvent ev)
              Write detail recored to AppWriter
    protected  void writeOutSession(HttpParser.HttpSummary sum)
              Write out summary session to the AppWriter
    protected  void writeSession(java.lang.String key)
              Call from the AbstractParser to tell us that this session should be written out.
     
    Methods inherited from class isc.sensor.parser.AbstractParser
    _addPacketEvent, _flush, _initMgr, _notifyProc, _processWork, _ready, _setFinish, _writeSession, initEvents, isServer, run
     
    Methods inherited from class java.lang.Thread
    activeCount, checkAccess, countStackFrames, currentThread, destroy, dumpStack, enumerate, getAllStackTraces, getContextClassLoader, getDefaultUncaughtExceptionHandler, getId, getName, getPriority, getStackTrace, getState, getThreadGroup, getUncaughtExceptionHandler, holdsLock, interrupt, interrupted, isAlive, isDaemon, isInterrupted, join, join, join, resume, setContextClassLoader, setDaemon, setDefaultUncaughtExceptionHandler, setName, setPriority, setUncaughtExceptionHandler, sleep, sleep, start, stop, stop, suspend, toString, yield
     
    Methods inherited from class java.lang.Object
    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
     

    Field Detail

    httpSumObj

    protected OAObjectManager httpSumObj
    output adaptor for HTTPSummary


    httpDetailObj

    protected OAObjectManager httpDetailObj
    output adaptor for HTTPDetail


    log

    protected static org.apache.log4j.Logger log
    log4j


    method

    protected java.lang.String method
    temp holds the packet http method


    referer

    protected java.lang.String referer
    temp holds the packet http referer


    host

    protected java.lang.String host
    temp holds the packet http host


    response

    protected java.lang.String response
    temp holds the packet http response

    Constructor Detail

    HttpParser

    public HttpParser()
    Method Detail

    init

    public void init(int protocol)
    Call from AbstractParser to initialize of the new parser. The procotol tells us which protocol is being process.

    Specified by:
    init in class AbstractParser
    See Also:
    AbstractParser.init(int), AbstractParser.TCP, AbstractParser.UDP

    parse

    protected void parse(PacketEvent ev)
    Parse the incomming packet if it contains an HTTP header. If configured:
    1. Acccumulate summary information for the HTTP session
    2. Parse and send out each packet's HTTP header

    Specified by:
    parse in class AbstractParser
    Parameters:
    ev - The packet event to be processed
    See Also:
    AbstractParser.parse(isc.sensor.parser.PacketEvent)

    doDetail

    protected void doDetail(PacketEvent ev,
                            java.lang.String[] t)
    Parse a packet for detailed writing

    Parameters:
    ev - The packet event
    t - The array of strings which contains the HTTP header methods

    doSummary

    protected void doSummary(PacketEvent ev,
                             java.lang.String[] t)
    Parser a packet for summary writing

    Parameters:
    ev - The packet event
    t - The array of strings which contains the HTTP header methods

    isClientMethod

    protected java.lang.String isClientMethod(java.lang.String t)
    Determine if String is from an HTTP Client

    Parameters:
    t - String containing the first method of the protocol header
    Returns:
    True if a client

    closeSession

    protected void closeSession(SessionBean ses)
    Call from the AbstractParser to set the session as closed and wait for the "write".

    Specified by:
    closeSession in class AbstractParser
    Parameters:
    ses - The summary bean of closed
    See Also:
    AbstractParser.closeSession(isc.sensor.SessionBean)

    writeSession

    protected void writeSession(java.lang.String key)
    Call from the AbstractParser to tell us that this session should be written out.

    Specified by:
    writeSession in class AbstractParser
    Parameters:
    key - The key of the sesssion to be written.
    See Also:
    AbstractParser.writeSession(java.lang.String)

    writeOutSession

    protected void writeOutSession(HttpParser.HttpSummary sum)
    Write out summary session to the AppWriter

    Parameters:
    sum - HTTP summary record to write

    writeOutDetail

    protected void writeOutDetail(PacketEvent ev)
    Write detail recored to AppWriter

    Parameters:
    ev - The packet event
    http - The vector of parsed HTTP data

    open

    protected void open()
    Call from AbstractParser to open all channels. This routine is currently a noop.

    Specified by:
    open in class AbstractParser
    See Also:
    AbstractParser.open()

    close

    protected void close()
    Call from the AbstractParser to close all open output channels.

    Specified by:
    close in class AbstractParser
    See Also:
    AbstractParser.close()