HTTP Parsers

Document created by RSA Information Design and Development on Jan 31, 2020Last modified by RSA Information Design and Development on Mar 20, 2020
Version 2Show Document
  • View in full screen mode
 

The HTTP parser is a native parser that is used for Decoders to parse both requests and responses in HTTP messages. In version 11.4 and later, the HTTP parser provides a decompression option.

The decompression option mimics the decompression option in the Lua HTTP parser and is controlled by the 'decompression' option for the HTTP parser. Parser options are set in the /decoder/parsers/config/parsers.options configuration node. To set an option on the HTTP parser, you append an HTTP="" clause to the parsers.options field so that HTTP can understand the 'decompression' option.

For example, you could add HTTP="decompression=true" to the parser option list to enable decompression of all HTTP compressed bodies.

You can use the following values in the 'decompression' field.

                                                               
ValueDescriptionExample Entry in parsers.options

true

Decompress all bodiesHTTP="decompress=true"
false Do not decompress. This is the default.HTTP="decompress=false"

1

Decompress application/* contentHTTP="decompress=1"
2 Decompress audio/* contentHTTP="decompress=2"

4

Decompress font/* content

HTTP="decompress=4"

8 Decompress image/* contentHTTP="decompress=8"

16

Decompress message/* content

HTTP="decompress=16"

32 Decompress model/* contentHTTP="decompress=32"

64

Decompress text/* content

HTTP="decompress=64"

128 Decompress video/* contentHTTP="decompress=128"

The numeric values can be combined by addition to search for multiple types of content. For example, if you want to decompress application and text content, use 1 + 64 = 65, which becomes HTTP="decompress=65".

To set the decompression option:

  1. Go to ADMIN > Services and select a Decoder, and in the actions menu (), select View > Explore.
  2. Expland decoder > parsers and select config.
  3. In parsers.options, append HTTP="decompress=<option from table>".

Visibility into HTTP/2 Sessions

You can search for metadata items derived from headers in the HTTP/2 stream to gain visibility into HTTP/2 sessions.

To turn on header parsing for HTTP/2 sessions:

  1. Go to ADMIN > Services and select a Decoder, and in the actions menu (), select View > Explore.
  2. Expland decoder > parsers and select config.
  3. In parsers.options, append HTTP2="headers=true".

Previous Topic:Lua Parsers
Next Topic:Snort Parsers
You are here
Table of Contents > Configure Parsers and Feeds > Configure Parsers > HTTP Parsers

Attachments

    Outcomes