Http request and response

HTTP requests and responses are another critical component analyzed to gather information about the client and server interactions. HTTP (Hypertext Transfer Protocol) is the foundation of web communication, and analyzing the characteristics of HTTP traffic can reveal useful details about the system's software, configuration, and behavior..

HTTP signature

For HTTP traffic, signature layout is as follows:

sig = ver:horder:habsent:expsw

  • ver: 0 for HTTP/1.0, 1 for HTTP/1.1, or '*' for any.

  • horder: comma-separated, ordered list of headers that should appear in matching traffic. Substrings to match within each of these headers may be specified using a name=[value] notation. The signature will be matched even if other headers appear in between, as long as the list itself is matched in the specified sequence.
    Headers that usually do appear in the traffic, but may go away (e.g. Accept-Language if the user has no languages defined, or Referer if no referring site exists) should be prefixed with '?', e.g. "?Referer". P0f will accept their disappearance, but will not allow them to appear at any other location.

  • habsent: comma-separated list of headers that must *not* appear in matching traffic. This is particularly useful for noting the absence of standard headers (e.g. 'Host'), or for differentiating between otherwise very similar signatures.

  • expsw: expected substring in 'User-Agent' or 'Server'. This is not used to match traffic, and merely serves to detect dishonest software. If you want to explicitly match User-Agent, you need to do this in the 'horder' section.

HTTP Request

These are sent by the client (typically a web browser) to request resources from a server. The request includes information such as the HTTP method (GET, POST, etc.), headers, and sometimes cookies or other client-specific data.

HTTP Request Analyzed 

.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (http request) ]-
|
| client   = 1.2.3.4/1524
| app      = Firefox:10.x or newer
| lang     = English
| params   = none
| raw_sig  = 1:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language=[;q=],Accept-Encoding=[gzip, deflate],?DNT=[1],Connection=[keep-alive],?Referer:Accept-Charset,Keep-Alive:Firefox/
|
`----

HTTP Request Key Fields

  • client: The source IP and port initiating the connection.

  • app: The identified browser matches the signature in the database.

  • lang: The identified language matches the signature in the database.

  • params: Additional parameters or optional data included in the headers.

  • raw_sig: The raw HTTP request signature, representing how the packet is structured.

HTTP Response

These are sent by the server in reply to the client’s request, containing the requested resource (HTML page, image, etc.) or a status message indicating the success or failure of the request.

HTTP Response Analyzed 

.-[ 192.168.1.22/58494 -> 91.189.91.21/80 (http response) ]-
|
| server   = 91.189.91.21/80
| app      = nginx/1.14.0 (Ubuntu)
| params   = anonymous
| raw_sig  = server=[nginx/1.14.0 (Ubuntu)],date=[Tue, 17 Dec 2024 13:54:16 GMT],x-cache-status=[from content-cache-1ss/0],connection=[close]:Server,Date,X-Cache-Status,Connection:
|
`----

HTTP Response Key Fields

  • server: The destination IP and port of the server connection.

  • app: The identified server matches the signature in the database.

  • params: Additional parameters or optional data included in the headers.

  • raw_sig: The raw HTTP response signature, representing how the packet is structured.
Uptime