GetProtoHTTPByName for net_packet_http_request

[HenrikWittemeier]

Description

Hi, im trying to write a go signature in which i need the HTTPRequest Header Data of the Event net_packet_http_request. I found the function GetProtoHTTPByName(eventObj, "http_proto") that works the event net_packet_http, but i found no way to do similar with the net_packet_http_request event.

Thanks for your help!

Steps to reproduce

1. Write a Go Signature that uses the event net_packet_http_request and try to get the http_request field of the event.
2. Compile and run it
3. See the error protocol HTTP: type error (should be trace.ProtoHTTP, is trace.ProtoHTTPRequest)"}"}]

Output of tracee version:

Tracee Version v0.22.0

Output of uname -a:

Linux tracee-hqmbk 6.8.0-45-generic #45-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 30 12:02:04 UTC 2024 x86_64 GNU/Linux

[rscampos]

Hello @HenrikWittemeier,

The GetProtoHTTPByName helper currently only works for the net_packet_http event, not for the net_packet_http_request event. While it is possible to retrieve the request header from net_packet_http_request using GetTraceeArgumentByName, we have decided to create a new helper, GetProtoHTTPRequestByName, to streamline this process.

The GetProtoHTTPRequestByName helper will function similarly to GetProtoHTTPByName, making it easier to handle HTTP requests for the net_packet_http_request event. Note that is necessary to use http_request instead of http_proto.

httpRequest, err := helpers.GetProtoHTTPRequestByName(eventObj, "http_request")
if err != nil {
    return err
}

For this to work, you need to use the Tracee main branch. If you are using the latest Tracee release, please follow these steps:

arg, err := helpers.GetTraceeArgumentByName(eventObj, "http_request", helpers.GetArgOps{DefaultArgs: false})
if err != nil {
    return err
}

httpRequest, ok := arg.Value.(trace.ProtoHTTPRequest)

if !ok {
    return nil
}