Port Numbers & http_extractor

[paramduggal]

As per current code, module http_extractor discovers HTTP traffic only over port 80.

def taste(tcp):
    ((src, sport), (dst, dport)) = tcp.addr
    if sport != 80 and dport != 80:
        return False

As many malware communicate using http protocol over non-standard ports, it is suggested that the module should:

• [ ] allow user to specify port numbers (e.g. -p 80,8080,8081,3128)
• [ ] and/or detect HTTP traffic over any port by checking for HTTP methods (e.g. GET, HEAD, POST, etc.)

[Mraoul]

It's a good idea. I'll incorporate a change into the ChopShop v4 branch.

Since we're using libhtp, it'd make more sense to do the first option and allow the user to specify the port (giving the option to allow all ports to be scanned).