Feature #2487
openrules: buffers for field/value pairs in http.uri and http.client_body
Description
We've found http_header_names to be one of our favorite new 4.0 buffers and would like to see if we could carry over this logic to other buffers.
for example, if the string in either the http_uri or the http_client_body was "field1=value1&field2=value2&field3=value3"
http_uri_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;http_uri_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;
basically the same for client_body
http_client_body_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;http_client_body_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;
Updated by Jason Ish over 7 years ago
- Effort set to medium
- Difficulty set to medium
Updated by Victor Julien about 6 years ago
- Related to Feature #1194: Implement http_args keyword to match http arguments - query string or body added
Updated by Jeff Lucovsky about 5 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
Updated by Victor Julien about 1 year ago
- Related to Task #7336: Suricon 2024 brainstorm added
Updated by Philippe Antoine 8 months ago
- Related to Feature #6914: support inspecting http.uri or http.request_body added
Updated by Juliana Fajardini Reichow 18 days ago
- Related to Task #8123: Suricon 2025 Brainstorm added
Updated by Juliana Fajardini Reichow 18 days ago
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 9.0.0-beta1
Updated by Juliana Fajardini Reichow 18 days ago
Still relevant as of Brainstorm 2025
Updated by Victor Julien 14 days ago
- Subject changed from Buffers for field/value pairs in http_uri and http_client_body to rules: buffers for field/value pairs in http.uri and http.client_body