URL and datastructures.....

Zeek
1

Hi everyone…plz help me out…
Actually I want to find out the URL’s visited by the users…plz tell me how to do that…
im trying to do that by using followoing event…

global http_request: event(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
print original_URI."------";
}

but i dont know the datastructure of original_URI…plz tell me where r these datastructures defined…like the data structure for c:connection is…

  1. type connection: record {
  2. id: conn_id;
  3. orig: endpoint;
  4. resp: endpoint;
  5. start_time: time;
  6. duration: interval;
  7. service: string;

  8. if empty, service not yet determined

  9. addl: string;
  10. hot: count;
  11. history: string;
  12. };

if u have other idea plz let me know…i new to bro…I will be evry thankful to you…

Thanks & Regards
Navdeep Singh

+91-094640-77449

2

Hi everyone....plz help me out...
Actually I want to find out the URL's visited by the users...plz tell me how to do that....
im trying to do that by using followoing event...

global http_request: event(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)

That's the right event to be handling. You need to handle the event like this...

event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
  {
  print original_URI;
  }

but, if you want the full url, you can handle a different event. Here's an example...

@load http-entity
@load http-reply
module HTTP;
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
  {
  if ( is_orig )
    {
    local s = lookup_http_request_stream(c);
    local msg = get_http_message(s, is_orig);
  
    local host = (s$next_request$host=="") ? fmt("%s", c$id$resp_h) : s$next_request$host;
    local url = fmt("%s http://%s%s", r$method, host, r$URI);
    print url;
    }
  }

but i dont know the datastructure of original_URI.....plz tell me where r these datastructures defined.....like the data structure for c:connection is...

original_URI is just a string. There isn't any underlying data structure to it.

  .Seth

3

Hello Mr.Seth the code you have provided is untested …it not working and its not giving URL’s…plz review it and send the exact code…i will be very thankful to you…

4

After I sent the email, I realized that it had a small bug. The bug is fixed now (I forgot to set the "r" variable). The mailing list is messing up the formatting of the script too, you just need to fix that.

The script is attached as a file now too because the mailing list screwed up the formatting.

http-url-print.bro (457 Bytes)