Feature #1194
openImplement http_args keyword to match http arguments - query string or body
Description
We can use a http_args keyword that would match on the "name = value"
pairs of http arguments from the query string or from the body.
AS Updated by Anoop Saldanha almost 12 years ago
The idea is to make this a sticky buffer. Does that sound fine?
Currently all the http keywords are modifiers. Would that be an
issue with regard to consistency on how other http keywords behave?
VJ Updated by Victor Julien almost 12 years ago
Can you give some rule examples?
AS Updated by Anoop Saldanha almost 12 years ago
alert tcp any any -> any any (http_args; content:"argument"; sid:1;)
alert tcp any any -> any any (http_args; content:"argument"; pcre:"/argument1"/; sid:1;)
Similarly, other content keywords can be used.
To use other modifier keywords or sticky buffer, one would have to use pkt_data.
alert tcp any any -> any any (http:args; content:"argument"; pcre:"/argument1/";
pkt_data; content:"uri"; http_uri; sid:1;)
AH Updated by Andreas Herz over 9 years ago
- Assignee changed from Anoop Saldanha to OISF Dev
VJ Updated by Victor Julien over 7 years ago
- Assignee changed from OISF Dev to Anonymous
- Priority changed from Low to Normal
- Effort set to medium
- Difficulty set to low
AH Updated by Andreas Herz about 7 years ago
- Assignee set to Community Ticket
VJ Updated by Victor Julien over 6 years ago
- Related to Feature #2487: rules: buffers for field/value pairs in http.uri and http.client_body added
VJ Updated by Victor Julien over 1 year ago
- Related to Task #7336: Suricon 2024 brainstorm added
VJ Updated by Victor Julien 3 months ago
- Related to Feature #6914: support inspecting http.uri or http.request_body added