From 36944280a6681fd3091278b805af76ff78ba48dc Mon Sep 17 00:00:00 2001
From: Aman Kumar <94223645+Aman123lug@users.noreply.github.com>
Date: Sat, 18 Mar 2023 23:51:50 +0530
Subject: [PATCH] Update http_analyzer.py

adding find injection function
---
 modules/http_analyzer/http_analyzer.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/http_analyzer/http_analyzer.py b/modules/http_analyzer/http_analyzer.py
index 969cd00e2..be9d05e99 100644
--- a/modules/http_analyzer/http_analyzer.py
+++ b/modules/http_analyzer/http_analyzer.py
@@ -382,6 +382,24 @@ def check_multiple_UAs(
                                  timestamp, category, source_target_tag=source_target_tag, profileid=profileid,
                                  twid=twid, uid=uid)
         return True
+        ## added
+        def check_large_response_body(self, uid, response_body_len, timestamp, profileid, twid):
+        """
+        Check if the response body length is larger than the defined threshold
+        """
+        if response_body_len > self.pastebin_downloads_threshold:
+            evidence_type = 'LargeResponseBody'
+            attacker_direction = 'srcip'
+            attacker = profileid.split('_')[0]
+            threat_level = 'medium'
+            category = 'Anomaly.DataTransfer'
+            confidence = 1
+            description = f'response body is larger than the threshold ({self.pastebin_downloads_threshold})'
+            __database__.setEvidence(evidence_type, attacker_direction, attacker, threat_level, confidence,
+                                     description, timestamp, category, profileid=profileid, twid=twid, uid=uid)
+            return True
+        return False
+
 
     def check_pastebin_downloads(
             self,