Feature #2283
closedturn content modifiers into 'sticky buffers'
Description
Turn all content modifiers into sticky buffers with a '<proto>.<buffer>[.<modifier>]' notation.
Support this dot-notation for all existing sticky buffers.
In both cases the existing rule keywords need to keep working for backwards compatibility. New keywords only need to support the new notation.
Some examples:
content:"abc"; http_uri; -> http.uri; content:"abc"; content:"abc"; http_raw_uri; -> http.uri.raw; content:"abc"; content:"abc"; http_client_body; -> http.request_body; content:"abc"; dns_query; content:"abc"; -> dns.query; content:"abc";
Internally, these keywords need to be registered through the 'v2 API', so that they support transforms.
Examples can be found in https://github.com/OISF/suricata/pull/3632
Updated by Jason Williams over 7 years ago
1. flip the proto to the end
- this complicates the naming a little
- breaks the current "proto_buffer"; naming schemeuri_http;
header_http;
user_agent_http;
2. use similar naming to 'raw'
- a little more typing
- looks fairly similar to what we already havehttp_sticky_uri;
http_sticky_header;
http_sticky_user_agent;
http_raw_sticky_uri; - in instances where we have raw
3. put sticky at the end
- not a naming convention we have currentlyhttp_uri_sticky;
http_header_sticky;
http_user_agent_sticky;
4. let suricata decide the function of the buffer
- this could possibly complicate the engine's parsing of the rules
- cleanestcontent:"/example/"; http_uri; (old - modifier)
http_uri; content:"/example/"; (new - sticky)
Updated by Jason Williams about 7 years ago
After some time thinking about this, perhaps the initial 'http_' portion of the buffer name is not needed?
our rule is already 'alert http...'
http_uri; -> uri;
http_user_agent; -> user_agent;
http_referer; -> referer;
Updated by Victor Julien about 6 years ago
- Status changed from New to Closed