[Bro] URI decoding

Seth Hall seth at icir.org
Thu Sep 20 13:54:46 PDT 2012


We received a question privately about the HTTP logs and if there was a setting to stop URL decoding the "uri" field.  It turns out there isn't a setting for this, but the base scripts have been designed in a way that makes this very easy to do.  Here's the script to do it in case anyone else is interested…

event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
	{
	c$http$uri = original_URI;
	}

What it's doing is overwriting the c$http$uri field with the original_URI value instead of the unescaped_URI value which the base script uses.  It ends up being overwritten because the http_request handler in the base HTTP scripts is handled at a higher priority and is executed first, that way you are assured that your handler with no explicit priority (priority zero) will be executed second.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list