18.3.8. HTTP

HTTP transaction details are exposes to Lua scripts with the suricata.http library, For example:

local http = require("suricata.http")

18.3.8.1. Setup

If your purpose is to create a logging script, initialize the buffer as:

function init (args)
   local needs = {}
   needs["protocol"] = "http"
   return needs
end

If you are going to use the script for rule matching, choose one of the available HTTP buffers listed in Lua Scripting for Detection and follow the pattern:

function init (args)
   local needs = {}
   needs["http.request_line"] = tostring(true)
   return needs
end

18.3.8.1.1. Transaction

HTTP is transaction based, and the current transaction must be obtained before use:

local tx, err = http.get_tx()
if tx == err then
    print(err)
end

All other functions are methods on the transaction table.

18.3.8.1.2. Transaction Methods

18.3.8.2. request_header()

Get the HTTP request header value by key.

Example:

local tx = http.get_tx()
local ua = tx:request_header("User-Agent")
if ua ~= nil then
      print(ua)
end

18.3.8.3. response_header()

Get the HTTP response header value by key.

Example:

local tx = http.get_tx()
local content_type = tx:response_header("Content-Type")
if content_type ~= nil then
      print(content_type)
end

18.3.8.4. request_line

Get the HTTP request line as a string.

Example:

local tx = http.get_tx()
local http_request_line = tx:request_line();
if #http_request_line > 0 then
    if http_request_line:find("^GET") then
        print(http_request_line)
    end
end

18.3.8.5. response_line

Get the HTTP response line as a string.

Example:

local tx = http.get_tx()
local http_response_line = tx:response_line();
if #http_response_line > 0 then
      print(http_response_line)
end

18.3.8.6. request_headers_raw()

Get the raw HTTP request headers.

Example:

http_request_headers_raw = tx:request_headers_raw()

if #http_request_headers_raw > 0 then
    if http_request_headers_raw:find("User%-Agent: curl") then
        print(http_request_headers_raw)
    end
end

18.3.8.7. response_headers_raw()

Get the raw HTTP response headers.

Example:

http_response_headers_raw = tx:response_headers_raw()

if #http_response_headers_raw > 0 then
      print(http_response_headers_raw)
end

18.3.8.8. request_uri_raw()

Get the raw HTTP request URI.

Example:

local tx = http.get_tx()
http_request_uri_raw = tx:request_uri_raw()
print(http_request_uri_raw)

18.3.8.9. request_uri_normalized()

Get the normalized HTTP request URI.

Example:

local tx = http.get_tx()
http_request_uri_normalized = tx:request_uri_normalized()
print(http_request_uri_normalized)

18.3.8.10. request_headers()

Get the HTTP request headers.

Example:

local tx = http.get_tx()
http_request_headers = tx:request_headers()
print(http_request_headers)

18.3.8.11. response_headers()

Get the HTTP response headers.

Example:

local tx = http.get_tx()
http_response_headers = tx:response_headers()
print(http_response_headers)

18.3.8.12. request_body()

Get the HTTP request body.

Example:

local tx = http.get_tx()
http_request_body = tx:request_body()
print(http_request_body)

18.3.8.13. response_body()

Get the HTTP response body.

Example:

local tx = http.get_tx()
http_response_body = tx:response_body()
print(http_response_body)