Actions
Feature #1194
openImplement http_args keyword to match http arguments - query string or body
Effort:
medium
Difficulty:
low
Label:
Description
We can use a http_args keyword that would match on the "name = value"
pairs of http arguments from the query string or from the body.
Updated by Anoop Saldanha almost 10 years ago
The idea is to make this a sticky buffer. Does that sound fine?
Currently all the http keywords are modifiers. Would that be an
issue with regard to consistency on how other http keywords behave?
Updated by Anoop Saldanha almost 10 years ago
alert tcp any any -> any any (http_args; content:"argument"; sid:1;)
alert tcp any any -> any any (http_args; content:"argument"; pcre:"/argument1"/; sid:1;)
Similarly, other content keywords can be used.
To use other modifier keywords or sticky buffer, one would have to use pkt_data.
alert tcp any any -> any any (http:args; content:"argument"; pcre:"/argument1/";
pkt_data; content:"uri"; http_uri; sid:1;)
Updated by Andreas Herz over 7 years ago
- Assignee changed from Anoop Saldanha to OISF Dev
Updated by Victor Julien over 5 years ago
- Assignee changed from OISF Dev to Anonymous
- Priority changed from Low to Normal
- Effort set to medium
- Difficulty set to low
Updated by Victor Julien over 4 years ago
- Related to Feature #2487: Buffers for field/value pairs in http_uri and http_client_body added
Actions