[Bro] URI decoding

Seth Hall seth at icir.org
Thu Sep 20 13:54:46 PDT 2012

We received a question privately about the HTTP logs and if there was a setting to stop URL decoding the "uri" field.  It turns out there isn't a setting for this, but the base scripts have been designed in a way that makes this very easy to do.  Here's the script to do it in case anyone else is interested…

event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
	c$http$uri = original_URI;

What it's doing is overwriting the c$http$uri field with the original_URI value instead of the unescaped_URI value which the base script uses.  It ends up being overwritten because the http_request handler in the base HTTP scripts is handled at a higher priority and is executed first, that way you are assured that your handler with no explicit priority (priority zero) will be executed second.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list