[Bro] URL and datastructures.....
seth at net.ohio-state.edu
Wed Mar 26 05:55:01 PDT 2008
On Mar 26, 2008, at 3:43 AM, Navdeep Singh wrote:
> Hi everyone....plz help me out...
> Actually I want to find out the URL's visited by the users...plz
> tell me how to do that....
> im trying to do that by using followoing event...
> global http_request: event(c: connection, method: string,
> original_URI: string, unescaped_URI: string, version: string)
That's the right event to be handling. You need to handle the event
event http_request(c: connection, method: string, original_URI:
string, unescaped_URI: string, version: string)
but, if you want the full url, you can handle a different event.
Here's an example...
event http_message_done(c: connection, is_orig: bool, stat:
if ( is_orig )
local s = lookup_http_request_stream(c);
local msg = get_http_message(s, is_orig);
local host = (s$next_request$host=="") ? fmt("%s", c$id$resp_h) : s
local url = fmt("%s http://%s%s", r$method, host, r$URI);
> but i dont know the datastructure of original_URI.....plz tell me
> where r these datastructures defined.....like the data structure for
> c:connection is...
original_URI is just a string. There isn't any underlying data
structure to it.
More information about the Bro