isc.sensor.parser
Class HttpParser

java.lang.Object
  java.lang.Thread
      isc.sensor.parser.AbstractParser
          isc.sensor.parser.HttpParser

All Implemented Interfaces:

java.lang.Runnable

public class HttpParser
extends AbstractParser

A simple HTTP Protocol application parser. Output can be both HTTP packet detail information and HTTP Session summary information, which is driven by the configuration file

Configuration attributes required for this parser:

1. HttpParser.Ports - The list of ports this parser will operate on. multiple ports are comma seperated.
2. HttpParser.Flags - The tcpflags which contain data to parse. multiple flags are comma seperated.
3. HttpParser.OutputSummary - true/False To output HTTP session summary
4. HttpParser.OutputDetail - true/False to output HTTP packet detail

example:
registers this parser to be loaded for use with TCP and UDP. The parser will register it's ports for 80, 8008 and 8080. For TCP, this parser will recieve packets (ACK/PSH) 24 and (ACK) 16 flags. This parser will output both session summary records and packet detail records (definition of the records are defined within this module).

   -------  server's config.cfg file -------------
 !=====================================================================
 ! Define the Application Parser Methods and Classes
 !=====================================================================
 ! Semicolon seperated list of classes to load
 
 AppLayerTCP.Parsers=isc.sensor.parser.HttpParser
 AppLayerUDP.Parsers=isc.sensor.parser.HttpParser
 
 ! HTTP Parser specifics
 HttpParser.Ports=80,8008,8080
 HttpParser.Flags=24,16
 HttpParser.OutputSummary=true
 HttpParser.OutputDetail=true
 -----------------------------------------------
 

Data Dictionary

1. HTTPSummary - Summary of the session after all packets have been processed
2. HTTPDetail - Detail of each packets processed

            HTTPSummary                      HTTPDetail
 attribute       type                attribute     type      
 startTime       java.sql.Timestamp  packetTime       java.sql.Timestamp
 sensorName      String              sensorName      String
 interface_f1    String              interface       String
 interface_f2    String              sessionKey      String
 sessionKey      String              protoNam        String
 duration        Long                srcAddr         String
 protoNam        String              srcPort         Integer
 clientAddr      String              dstAddr         String
 clientPort      Integer             dstPort         Integer
 serverAddr      String            pktLen          Integer
 serverPort      Integer             referer         String
 status          String              method          String
 serviceName     String              host            String
 packetsSent     Long                response        String
 packetsRecv     Long
 dataSent        Long
 dataRecv        Long
 retryPktSent    Long
 retryPktRecv    Long
 hostName        String
 numRequests     Integer
 maxURLSize      Integer
 agentType       String
 

Author:

John Casey

DNA_sensor - Aug 12, 2005

See Also:

AppProperties, AbstractParsers, PacketEvent

Nested Class Summary

class

HttpParser.HttpSummary

Nested classes/interfaces inherited from class isc.sensor.parser.AbstractParser

AbstractParser.ParserState

Nested classes/interfaces inherited from class java.lang.Thread

java.lang.Thread.State, java.lang.Thread.UncaughtExceptionHandler

Field Summary

protected java.lang.String	host temp holds the packet http host
protected OAObjectManager	httpDetailObj output adaptor for HTTPDetail
protected OAObjectManager	httpSumObj output adaptor for HTTPSummary
protected static org.apache.log4j.Logger	log log4j
protected java.lang.String	method temp holds the packet http method
protected java.lang.String	referer temp holds the packet http referer
protected java.lang.String	response temp holds the packet http response

Fields inherited from class isc.sensor.parser.AbstractParser

flushCtr, PARSER_WORKQUEUE_SZ, parserState, props, readyState, TCP, UDP, workQueue

Fields inherited from class java.lang.Thread

MAX_PRIORITY, MIN_PRIORITY, NORM_PRIORITY

Constructor Summary

HttpParser()

Method Summary

protected void	close() Call from the AbstractParser to close all open output channels.
protected void	closeSession(SessionBean ses) Call from the AbstractParser to set the session as closed and wait for the "write".
protected void	doDetail(PacketEvent ev, java.lang.String[] t) Parse a packet for detailed writing
protected void	doSummary(PacketEvent ev, java.lang.String[] t) Parser a packet for summary writing
void	init(int protocol) Call from AbstractParser to initialize of the new parser.
protected java.lang.String	isClientMethod(java.lang.String t) Determine if String is from an HTTP Client
protected void	open() Call from AbstractParser to open all channels.
protected void	parse(PacketEvent ev) Parse the incomming packet if it contains an HTTP header.
protected void	writeOutDetail(PacketEvent ev) Write detail recored to AppWriter
protected void	writeOutSession(HttpParser.HttpSummary sum) Write out summary session to the AppWriter
protected void	writeSession(java.lang.String key) Call from the AbstractParser to tell us that this session should be written out.

Methods inherited from class isc.sensor.parser.AbstractParser

_addPacketEvent, _flush, _initMgr, _notifyProc, _processWork, _ready, _setFinish, _writeSession, initEvents, isServer, run

Methods inherited from class java.lang.Thread

activeCount, checkAccess, countStackFrames, currentThread, destroy, dumpStack, enumerate, getAllStackTraces, getContextClassLoader, getDefaultUncaughtExceptionHandler, getId, getName, getPriority, getStackTrace, getState, getThreadGroup, getUncaughtExceptionHandler, holdsLock, interrupt, interrupted, isAlive, isDaemon, isInterrupted, join, join, join, resume, setContextClassLoader, setDaemon, setDefaultUncaughtExceptionHandler, setName, setPriority, setUncaughtExceptionHandler, sleep, sleep, start, stop, stop, suspend, toString, yield

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

httpSumObj

protected OAObjectManager httpSumObj

output adaptor for HTTPSummary

httpDetailObj

protected OAObjectManager httpDetailObj

output adaptor for HTTPDetail

log

protected static org.apache.log4j.Logger log

log4j

method

protected java.lang.String method

temp holds the packet http method

referer

protected java.lang.String referer

temp holds the packet http referer

host

protected java.lang.String host

temp holds the packet http host

response

protected java.lang.String response

temp holds the packet http response

Constructor Detail

HttpParser

public HttpParser()

Method Detail

init

public void init(int protocol)

Call from AbstractParser to initialize of the new parser. The procotol tells us which protocol is being process.

Specified by:

init in class AbstractParser

See Also:

AbstractParser.init(int), AbstractParser.TCP, AbstractParser.UDP

parse

protected void parse(PacketEvent ev)

Parse the incomming packet if it contains an HTTP header. If configured:

1. Acccumulate summary information for the HTTP session
2. Parse and send out each packet's HTTP header

Specified by:

parse in class AbstractParser

Parameters:

ev - The packet event to be processed

See Also:

AbstractParser.parse(isc.sensor.parser.PacketEvent)

doDetail

protected void doDetail(PacketEvent ev,
                        java.lang.String[] t)

Parse a packet for detailed writing

Parameters:

ev - The packet event

t - The array of strings which contains the HTTP header methods

doSummary

protected void doSummary(PacketEvent ev,
                         java.lang.String[] t)

Parser a packet for summary writing

Parameters:

ev - The packet event

t - The array of strings which contains the HTTP header methods

isClientMethod

protected java.lang.String isClientMethod(java.lang.String t)

Determine if String is from an HTTP Client

Parameters:

t - String containing the first method of the protocol header

Returns:

True if a client

closeSession

protected void closeSession(SessionBean ses)

Call from the AbstractParser to set the session as closed and wait for the "write".

Specified by:

closeSession in class AbstractParser

Parameters:

ses - The summary bean of closed

See Also:

AbstractParser.closeSession(isc.sensor.SessionBean)

writeSession

protected void writeSession(java.lang.String key)

Call from the AbstractParser to tell us that this session should be written out.

Specified by:

writeSession in class AbstractParser

Parameters:

key - The key of the sesssion to be written.

See Also:

AbstractParser.writeSession(java.lang.String)

writeOutSession

protected void writeOutSession(HttpParser.HttpSummary sum)

Write out summary session to the AppWriter

Parameters:

sum - HTTP summary record to write

writeOutDetail

protected void writeOutDetail(PacketEvent ev)

Write detail recored to AppWriter

Parameters:

ev - The packet event

http - The vector of parsed HTTP data

open

protected void open()

Call from AbstractParser to open all channels. This routine is currently a noop.

Specified by:

open in class AbstractParser

See Also:

AbstractParser.open()

close

protected void close()

Call from the AbstractParser to close all open output channels.

Specified by:

close in class AbstractParser

See Also:

AbstractParser.close()