Object HttpHeader

The HTTPHeader object wraps the HTTP request and response headers along with status codes and other information. You do not construct this object directly , this is passed to you when you are working with HTTP File Extraction scripts

name input params return value description
is_request boolean True if the header is a HTTP request header
is_response boolean True if the header is a HTTP response header
get_path string The path in the HTTP request URI
get_value string string Get the value of the requested HTTP header, Returns nil if header not found.
get_all_headers table Return a table of attribute => value pairs
get_method string For requests GET/POST/HEAD or other methods
get_status number HTTP Status Code 200=OK
is_method string bool Check header method. hdr:is_method("POST") is short cut for hdr:get_method()=="POST" @
match_value string – header_name, string value_regex bool Short cut for get_value + match(..) check if the header value matches the specified regex (see example 3 below). The regex must be Google RE2 compatible

Usage examples

To check whether content type contains a video*

Note we are checking for a nil value because the HTTP Header Content-Type may not be present in that header.


  ..
  local ct = header:get_value("Content-Type")

  if ct and ct:match("video")   then
      print(">>>>>  Saving video file for analysis "..ct.."flow - "..flowkey:id() )
      return true
  else
      return false
  end

Printing all the headers

Here is a sample debug session where you can inspect the HTTP Header methods

The built in debugger is invoked as


dbg = require('debugger')
..
onfile_http = function(... req_header, resp_header, ...)

	dbg()

end

The objects of type HTTPHeader can be used as shown below


debugger.lua> 
debugger.lua> p req_header:get_all_headers()

req_header:get_all_headers() => {"Host" = "toolbar.google.com", "User-Agent" = "Mozilla/4.0 (compatible; GoogleToolbar 4.0.1601.4978-big; Windows XP 5.1; MSIE 6.0.2900.2180)", "Referer" = "navclient.update/en/4.0.1601.4978-big"}

debugger.lua> p resp_header:get_all_headers()

resp_header:get_all_headers() => {"Transfer-Encoding" = "chunked", "Date" = "Tue, 12 Feb 2008 14:30:02 GMT", "Content-Type" = "text/plain", "Server" = "GFE/1.3", "Cache-control" = "private"}

debugger.lua> 

Function match_value

Matches a field against a regex (partial match).

Purpose

Just a convenience function that you will find very handy when inspecting HTTP , SMTP headers etc.

Parameters

header_name string name of the HTTP header field
regex string a RE2 compatible regex against which the value of header_name above will be matched. The Regex algorithm used is PartialMatch

Return value

True
the header value matches the regex
False
the header does not exist or the value does not match

Example

Say we want to match the following

  1. Content-Type := application/x-shockwave-flash
  2. Content-Type := application/x-msdownload

--
-- without using match_value
-- get content type, check for nil, and then use LUA regex match(..)
--
local ct = header:get_value("Content-Type")
if ct and ct:match("application/x-shockwave-flash") or ct:match("application/x-msdownload")   then  
	print(">>>>>  Saving video file for analysis "..ct.."flow - "..flowkey:id() )
	return true
end

-- using match_value
--
if header:match_value("Content-Type","(shockwave|msdownload") then
	print(">>>>>  Saving video file for analysis "..ct.."flow - "..flowkey:id() )
	return true
end