Christopher Ahearn

Not just a number.  Looking at HTTP Response codes

Blog Post created by Christopher Ahearn Employee on Jun 7, 2016

Sometimes, you just want the number.  The HTTP Response code number that is.


HTTP traffic represents one of the largest traffic types that our decoders see.  We parse quite a lot of traffic into meta and then indexed for future searching.  While we will parse certain error codes into the 'error' meta key, sometimes analysts just want the code number.  No description.  Just the code number, like 200 or 404 or 302.


I wrote a quick Lua parser that does this and puts the data into 'result.code'.  The reason for using 'result.code' is that it is already used by log decoders and parsing of web proxy logs.  Having meta from both packets and logs in the same place seemed an ideal choice in this case.



A copy of the parser is attached.  It would only be deployed to packet decoders.  This functionality may be added to one of the existing parsers (http_lua most likely) in the future.


I hope you find this parser useful.  Happy hunting.