[Bro-Dev] New http scripts

Gregor Maier gregor at icir.org
Tue Aug 16 22:21:47 PDT 2011


Hi,

quick question. For the new http scripts, after logging a request in 
http_message_done, should the c$http record be deleted and re-populated? 
Otherwise if the new request that gets logged only fills part of these 
fields, the ones from the previous request will be filled out and thus 
get logged twice.

(Don't know whether that's an issue for other protocols as well)

event http_message_done(c: connection, is_orig: bool, stat: 
http_message_stat) &priority = -5
     {
     # The reply body is done so we're ready to log.
     if ( ! is_orig )
         {
         Log::write(HTTP, c$http);
         delete c$http_state$pending[c$http_state$current_response];
         }
     }



cu
Gregor
-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/


More information about the bro-dev mailing list