[Bro] URL and datastructures.....

Seth Hall seth at net.ohio-state.edu
Wed Mar 26 05:55:01 PDT 2008


On Mar 26, 2008, at 3:43 AM, Navdeep Singh wrote:
> Hi everyone....plz help me out...
> Actually I want to find out the URL's visited by the users...plz  
> tell me how to do that....
> im trying to do that by using followoing event...
>
> global http_request: event(c: connection, method: string,  
> original_URI: string, unescaped_URI: string, version: string)

That's the right event to be handling.  You need to handle the event  
like this...

event http_request(c: connection, method: string, original_URI:  
string, unescaped_URI: string, version: string)
	{
	print original_URI;
	}

but, if you want the full url, you can handle a different event.   
Here's an example...

@load http-entity
@load http-reply
module HTTP;
event http_message_done(c: connection, is_orig: bool, stat:  
http_message_stat)
	{
	if ( is_orig )
		{
		local s = lookup_http_request_stream(c);
		local msg = get_http_message(s, is_orig);
	
		local host = (s$next_request$host=="") ? fmt("%s", c$id$resp_h) : s 
$next_request$host;
		local url = fmt("%s http://%s%s", r$method, host, r$URI);
		print url;
		}
	}

> but i dont know the datastructure of original_URI.....plz tell me  
> where r these datastructures defined.....like the data structure for  
> c:connection is...

original_URI is just a string.  There isn't any underlying data  
structure to it.

  .Seth



More information about the Bro mailing list