Feature #2077
closedAdditional HTTP Header Contents and Negation
Description
It would be very useful to have the following buffers from the HTTP Header:
http_referer
http_version
http_accept
http_accept_language
http_accept_encoding
http_connection
http_content_length
http_content_type
It would also be very useful to be able to negate on buffers without having to access the http_header buffer.
Often we use lines such as content:!"Referer|3a 20|"; http_header; to indicate that http_referer is not present in the request
It would be useful to be able to say !http_referer; or !http_user_agent; essentially just saying that the buffer has no contents or doesn't exist for this request.
Updated by Victor Julien about 7 years ago
In the git master we have 'http_protocol', which contains the protocol field for HTTP/1.0 and HTTP/1.1 requests and responses. In 'GET / HTTP/1.0' it will contain 'HTTP/1.0'. It's implemented as a sticky buffer. Can you test if that does what you need?
On the negation, I added a different way recently (also git master): http_header_names. This is a buffer with only the names of the headers. See https://github.com/inliniac/suricata/commit/aaeeae0722ffdd91221518a6a2b7ef903cc7ef10 The way you could use this:
http_header_names; content:!"|0a 0d|Referer|0a 0d|";
For the other ones, what do you need to be in the buffer? Just the value, or 'Headername: value' or 'value\r\n' or some other variant?
Updated by Jason Williams about 7 years ago
http_protocol works great
Did not know about http_header_names, that will work just fine
For the others, the functionality that exists for http_user_agent would be perfect
Updated by Victor Julien about 7 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 70
Updated by Victor Julien almost 7 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 4.0beta1
Merged as part of https://github.com/inliniac/suricata/pull/2673