diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5bcdb19cf8d..429bfca560e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -684,6 +684,8 @@ field. You can revert this change by configuring tags for the module and omittin *Packetbeat* - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] +- Add 100-continue support {issue}15830[15830] {pull}19349[19349] + *Functionbeat* diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go index efa344ab163..4b2367c0239 100644 --- a/packetbeat/protos/http/http.go +++ b/packetbeat/protos/http/http.go @@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) { unmatchedResponses.Add(1) resp := conn.responses.pop() debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple) + + if resp.statusCode == 100 { + debugf("Drop first 100-continue response") + return + } + event := http.newTransaction(nil, resp) http.publishTransaction(event) } diff --git a/packetbeat/tests/system/pcaps/http_100_continue.pcap b/packetbeat/tests/system/pcaps/http_100_continue.pcap new file mode 100644 index 00000000000..be1438e3080 Binary files /dev/null and b/packetbeat/tests/system/pcaps/http_100_continue.pcap differ diff --git a/packetbeat/tests/system/test_0070_http_100_continue.py b/packetbeat/tests/system/test_0070_http_100_continue.py new file mode 100644 index 00000000000..877bb90a280 --- /dev/null +++ b/packetbeat/tests/system/test_0070_http_100_continue.py @@ -0,0 +1,32 @@ +from packetbeat import BaseTest + +""" +Tests for checking expect 100-continue only generate 1 event +""" + + +class Test(BaseTest): + + def test_http_100_continue(self): + """ + Should only generate one event + """ + self.render_config_template( + iface_device="lo0", + http_ports=["9200"], + http_send_all_headers=True + ) + self.run_packetbeat(pcap="http_100_continue.pcap") + objs = self.read_output_json() + + assert len(objs) == 1 + o = objs[0] + + assert o["type"] == "http" + assert "request" in o["http"] + assert "headers" in o["http"]["request"] + assert o["http"]["request"]["headers"]["expect"] == "100-continue" + + assert "response" in o["http"] + + assert not "error" in o