[Packetbeat] HTTP: Improve support for 100-continue #15830 (#19349) (#…

…20234) * refactor(packet beat): Improve support for 100-continue * test(packetbeat): 100-continue only generate one event without error * test(packetbeat): 100-continue only generate one event without error * Update packetbeat/protos/http/http.go Co-authored-by: Adrian Serrano <[email protected]> * delete unused string * Fix format issue Co-authored-by: Marc Guasch <[email protected]> Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit 41bc8c6) Co-authored-by: Bonsai <[email protected]>
elastic · Jul 28, 2020 · a6a9cd5 · a6a9cd5
1 parent 9807046
commit a6a9cd5
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -684,6 +684,8 @@ field. You can revert this change by configuring tags for the module and omittin
 *Packetbeat*
 
 - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167]
+- Add 100-continue support {issue}15830[15830] {pull}19349[19349]
+
 
 *Functionbeat*
 

diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go
@@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) {
 		unmatchedResponses.Add(1)
 		resp := conn.responses.pop()
 		debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple)
+
+		if resp.statusCode == 100 {
+			debugf("Drop first 100-continue response")
+			return
+		}
+
 		event := http.newTransaction(nil, resp)
 		http.publishTransaction(event)
 	}

diff --git a/packetbeat/tests/system/pcaps/http_100_continue.pcap b/packetbeat/tests/system/pcaps/http_100_continue.pcap
diff --git a/packetbeat/tests/system/test_0070_http_100_continue.py b/packetbeat/tests/system/test_0070_http_100_continue.py
@@ -0,0 +1,32 @@
+from packetbeat import BaseTest
+
+"""
+Tests for checking expect 100-continue only generate 1 event
+"""
+
+
+class Test(BaseTest):
+
+    def test_http_100_continue(self):
+        """
+        Should only generate one event
+        """
+        self.render_config_template(
+            iface_device="lo0",
+            http_ports=["9200"],
+            http_send_all_headers=True
+        )
+        self.run_packetbeat(pcap="http_100_continue.pcap")
+        objs = self.read_output_json()
+
+        assert len(objs) == 1
+        o = objs[0]
+
+        assert o["type"] == "http"
+        assert "request" in o["http"]
+        assert "headers" in o["http"]["request"]
+        assert o["http"]["request"]["headers"]["expect"] == "100-continue"
+
+        assert "response" in o["http"]
+
+        assert not "error" in o