ContextQMD
Back to Suricata

HTTP

doc/userguide/lua/libs/http.rst

latest3.7 KB
Original Source

HTTP

HTTP transaction details are exposes to Lua scripts with the suricata.http library, For example::

local http = require("suricata.http")

Setup ^^^^^

If your purpose is to create a logging script, initialize the buffer as:

::

function init (args) local needs = {} needs["protocol"] = "http" return needs end

If you are going to use the script for rule matching, choose one of the available HTTP buffers listed in :ref:lua-detection and follow the pattern:

::

function init (args) local needs = {} needs["http.request_line"] = tostring(true) return needs end

Transaction


HTTP is transaction based, and the current transaction must be obtained before use::

  local tx, err = http.get_tx()
  if tx == err then
      print(err)
  end

All other functions are methods on the transaction table.

Transaction Methods

request_header() ^^^^^^^^^^^^^^^^^^^^

Get the HTTP request header value by key.

Example::

local tx = http.get_tx() local ua = tx:request_header("User-Agent") if ua ~= nil then print(ua) end

response_header() ^^^^^^^^^^^^^^^^^^^^^

Get the HTTP response header value by key.

Example::

local tx = http.get_tx() local content_type = tx:response_header("Content-Type") if content_type ~= nil then print(content_type) end

request_line ^^^^^^^^^^^^^^^^

Get the HTTP request line as a string.

Example::

local tx = http.get_tx() local http_request_line = tx:request_line(); if #http_request_line > 0 then if http_request_line:find("^GET") then print(http_request_line) end end

response_line ^^^^^^^^^^^^^^^^^

Get the HTTP response line as a string.

Example::

local tx = http.get_tx() local http_response_line = tx:response_line(); if #http_response_line > 0 then print(http_response_line) end

request_headers_raw() ^^^^^^^^^^^^^^^^^^^^^^^^^

Get the raw HTTP request headers.

Example::

http_request_headers_raw = tx:request_headers_raw()

if #http_request_headers_raw > 0 then if http_request_headers_raw:find("User%-Agent: curl") then print(http_request_headers_raw) end end

response_headers_raw() ^^^^^^^^^^^^^^^^^^^^^^^^^^

Get the raw HTTP response headers.

Example::

http_response_headers_raw = tx:response_headers_raw()

if #http_response_headers_raw > 0 then print(http_response_headers_raw) end

request_uri_raw() ^^^^^^^^^^^^^^^^^^^^^

Get the raw HTTP request URI.

Example::

local tx = http.get_tx() http_request_uri_raw = tx:request_uri_raw() print(http_request_uri_raw)

request_uri_normalized() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Get the normalized HTTP request URI.

Example::

local tx = http.get_tx() http_request_uri_normalized = tx:request_uri_normalized() print(http_request_uri_normalized)

request_headers() ^^^^^^^^^^^^^^^^^^^^^

Get the HTTP request headers.

Example::

local tx = http.get_tx() http_request_headers = tx:request_headers() print(http_request_headers)

response_headers() ^^^^^^^^^^^^^^^^^^^^^^

Get the HTTP response headers.

Example::

local tx = http.get_tx() http_response_headers = tx:response_headers() print(http_response_headers)

request_body() ^^^^^^^^^^^^^^^^^^

Get the HTTP request body.

Example::

local tx = http.get_tx() http_request_body = tx:request_body() print(http_request_body)

response_body() ^^^^^^^^^^^^^^^^^^^

Get the HTTP response body.

Example::

local tx = http.get_tx() http_response_body = tx:response_body() print(http_response_body)

request_host() ^^^^^^^^^^^^^^^^^^

Get the HTTP request host.

Example::

local tx = http.get_tx() http_host = tx:request_host() print(http_host)