[Bro] URI decoding
Seth Hall
seth at icir.org
Thu Sep 20 13:54:46 PDT 2012
We received a question privately about the HTTP logs and if there was a setting to stop URL decoding the "uri" field. It turns out there isn't a setting for this, but the base scripts have been designed in a way that makes this very easy to do. Here's the script to do it in case anyone else is interested…
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
c$http$uri = original_URI;
}
What it's doing is overwriting the c$http$uri field with the original_URI value instead of the unescaped_URI value which the base script uses. It ends up being overwritten because the http_request handler in the base HTTP scripts is handled at a higher priority and is executed first, that way you are assured that your handler with no explicit priority (priority zero) will be executed second.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list