Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Changed behavior of var-extraction-uri.zeek from policy/protocol/http to extract only the URI parameter names. Do not include the path in the first parameter name. Only extract uri vars if parameters actually exist.

Browse source
This commit is contained in:
Benjamin Grap 2025-08-13 19:52:18 +02:00 committed by Benjamin Bannier
parent 75ba63eb3f
commit fafc0212a5
6 changed files with 15 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
scripts/policy/protocols/http/var-extraction-uri.zeek
View file

@ -13,5 +13,9 @@ redef record Info += {
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=2
{
c$http$uri_vars = extract_keys(original_URI, /&/);
local param_parts = split_string1(original_URI, /\?/);
if ( |param_parts| > 1 )
{
c$http$uri_vars = extract_keys(param_parts[1], /&/);
}
}