[Oisf-devel] Recommendation on accessing HTTP headers and payloads in lua at the same time

[Smutz, Charles]

All, 

The lua functionality facilitates some pretty impressive capabilities. For example, the jar scanning the ET folk are doing demonstrates a big step in the realm of client object scanning in NIDS. I’m also a fan of the pcre based flowvar capture too, now available to lua.

In playing with this, a question we’ve had is: How can we access http header data at the same time we analyze the body data?

We’re largely interesting in farming this data out to an external scanner using something like lua bindings to zmq. However, whether the scanning is fully contained in the lua script or not, I think there is value in having access to this data (both header and body at the same time). For example, I could see some headers, such as the Server or Last-Modified headers, being relevant to analysis. Note that I’m most concerned about being able to analyze the request header with the request body and the response header with the response body, but it’s easy to come up with examples where the request header would be useful in analyzing the response body. Ex. jars which require URL query parameters.

Currently, if I understand correctly, you can have a script that operates on the request/response headers or body but not both at the same time. Is that correct? Are we missing something?

I see three possible ways to facilitate operating on the bodies and headers at the same time:

1. Flowvar per metadata item: Use either lua script or pcre capture to set flowvars with the necessary header metadata, access these flowvars in the body analysis lua script. This seems possible, albeit rather inefficient and cumbersome.   

2. External Storage: Have a lua script run on both headers and body. Extract the data necessary from both and analyze together externally. You need some way to link the headers and body. I’m not sure what the best way would be. Possibly through flowvar with a unique identifier set during header script?

3. Access both header and body data directly, ex. using the needs declaration. As I understand, this isn’t possible today. However, it stands to reason that if you have access to the decoded http body, you’ve already parsed the headers (while the reverse is not always true) and should have a readily accessible reference to these headers also. Providing access to the headers at the same time the body is analyzed by lua would simplify this greatly.

I’m interested in any recommendations on how to proceed, using one of the approaches I’ve outlined, or another alternative recommendation.

Thanks,

Charles