Object HttpHeader
The HTTPHeader object wraps the HTTP request and response headers along with status codes and other information. You do not construct this object directly , this is passed to you when you are working with HTTP File Extraction scripts
| name | input params | return value | description |
|---|---|---|---|
| is_request | – | boolean | True if the header is a HTTP request header |
| is_response | – | boolean | True if the header is a HTTP response header |
| get_path | – | string | The path in the HTTP request URI |
| get_value | string | string | Get the value of the requested HTTP header, Returns nil if header not found. |
| get_all_headers | – | table | Return a table of attribute => value pairs |
| get_method | – | string | For requests GET/POST/HEAD or other methods |
| get_status | – | number | HTTP Status Code 200=OK |
| is_method | string | bool | Check header method. hdr:is_method("POST") is short cut for hdr:get_method()=="POST" @ |
| match_value | string – header_name, string value_regex | bool | Short cut for get_value + match(..) check if the header value matches the specified regex (see example 3 below). The regex must be Google RE2 compatible |
Usage examples
To check whether content type contains a video*
Note we are checking for a nil value because the HTTP Header Content-Type may not be present in that header.
..
local ct = header:get_value("Content-Type")
if ct and ct:match("video") then
print(">>>>> Saving video file for analysis "..ct.."flow - "..flowkey:id() )
return true
else
return false
end
Printing all the headers
Here is a sample debug session where you can inspect the HTTP Header methods
The built in debugger is invoked as
dbg = require('debugger')
..
onfile_http = function(... req_header, resp_header, ...)
dbg()
end
The objects of type HTTPHeader can be used as shown below
debugger.lua>
debugger.lua> p req_header:get_all_headers()
req_header:get_all_headers() => {"Host" = "toolbar.google.com", "User-Agent" = "Mozilla/4.0 (compatible; GoogleToolbar 4.0.1601.4978-big; Windows XP 5.1; MSIE 6.0.2900.2180)", "Referer" = "navclient.update/en/4.0.1601.4978-big"}
debugger.lua> p resp_header:get_all_headers()
resp_header:get_all_headers() => {"Transfer-Encoding" = "chunked", "Date" = "Tue, 12 Feb 2008 14:30:02 GMT", "Content-Type" = "text/plain", "Server" = "GFE/1.3", "Cache-control" = "private"}
debugger.lua>
Function match_value
Matches a field against a regex (partial match).
Purpose
Just a convenience function that you will find very handy when inspecting HTTP , SMTP headers etc.
Parameters
| header_name | string | name of the HTTP header field |
|---|---|---|
| regex | string | a RE2 compatible regex against which the value of header_name above will be matched. The Regex algorithm used is PartialMatch |
Return value
True
the header value matches the regex
False
the header does not exist or the value does not match
Example
Say we want to match the following
-
Content-Type := application/x-shockwave-flash
-
Content-Type := application/x-msdownload
--
-- without using match_value
-- get content type, check for nil, and then use LUA regex match(..)
--
local ct = header:get_value("Content-Type")
if ct and ct:match("application/x-shockwave-flash") or ct:match("application/x-msdownload") then
print(">>>>> Saving video file for analysis "..ct.."flow - "..flowkey:id() )
return true
end
-- using match_value
--
if header:match_value("Content-Type","(shockwave|msdownload") then
print(">>>>> Saving video file for analysis "..ct.."flow - "..flowkey:id() )
return true
end