Decoder: HTTP Parsers

Document created by RSA Information Design and Development Employee on Jan 31, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 5Show Document
  • View in full screen mode
 

The HTTP parser is a native parser that is used for Decoders to parse both requests and responses in HTTP messages. In version 11.4 and later, the HTTP parser provides a decompression option.

The decompression option mimics the decompression option in the Lua HTTP parser and is controlled by the 'decompression' option for the HTTP parser. Parser options are set in the /decoder/parsers/config/parsers.options configuration node. To set an option on the HTTP parser, you append an HTTP="" clause to the parsers.options field so that HTTP can understand the 'decompression' option.

For example, you could add HTTP="decompression=true" to the parser option list to enable decompression of all HTTP compressed bodies.

You can use the following values in the 'decompression' field.

                                                               
ValueDescriptionExample Entry in parsers.options

true

Decompress all bodiesHTTP="decompress=true"
false Do not decompress. This is the default.HTTP="decompress=false"

1

Decompress application/* contentHTTP="decompress=1"
2 Decompress audio/* contentHTTP="decompress=2"

4

Decompress font/* content

HTTP="decompress=4"

8 Decompress image/* contentHTTP="decompress=8"

16

Decompress message/* content

HTTP="decompress=16"

32 Decompress model/* contentHTTP="decompress=32"

64

Decompress text/* content

HTTP="decompress=64"

128 Decompress video/* contentHTTP="decompress=128"

The numeric values can be combined by addition to search for multiple types of content. For example, if you want to decompress application and text content, use 1 + 64 = 65, which becomes HTTP="decompress=65".

To set the decompression option:

  1. Go to (Admin) > Services and select a Decoder, and in the actions menu (), select View > Explore.
  2. Expland decoder > parsers and select config.
  3. In parsers.options, append HTTP="decompress=<option from table>".
  4. In the left panel, right-click parsers and click Properties. In the drop-down menu, select reload and then click Send.

Visibility into HTTP/2 Sessions

You can search for metadata items derived from headers in the HTTP/2 stream to gain visibility into HTTP/2 sessions.

To turn on header parsing for HTTP/2 sessions:

  1. Go to ADMIN > Services and select a Decoder, and in the actions menu (), select View > Explore.
  2. Expland decoder > parsers and select config.
  3. In parsers.options, append HTTP2="headers=true".
  4. In the left panel, right-click parsers and click Properties. In the drop-down menu, select reload and then click Send.

Previous Topic:Lua Parsers
Next Topic:Snort Parsers
You are here
Table of Contents > Configure Parsers and Feeds > Configure Parsers > HTTP Parsers

Attachments

    Outcomes