Project

General

Profile

Actions
Copy link

Feature #2487

open

rules: buffers for field/value pairs in http.uri and http.client_body

Added by Jason Williams almost 8 years ago. Updated 19 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Effort:
medium
Difficulty:
medium
Label:

Description

We've found http_header_names to be one of our favorite new 4.0 buffers and would like to see if we could carry over this logic to other buffers.

for example, if the string in either the http_uri or the http_client_body was "field1=value1&field2=value2&field3=value3"

http_uri_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_uri_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

basically the same for client_body

http_client_body_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_client_body_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

Related issues 6 (6 open0 closed)

Related to Suricata - Feature #1194: Implement http_args keyword to match http arguments - query string or bodyNewCommunity TicketActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Task #7336: Suricon 2024 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #6914: support inspecting http.uri or http.request_bodyNewOISF DevActions
Related to Suricata - Task #8123: Suricon 2025 BrainstormAssignedVictor JulienActions
Blocked by Suricata - Bug #8256: detect: http.headers does not work on trailers when it is not fast_patternIn ReviewPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Jason Ish over 7 years ago

  • Effort set to medium
  • Difficulty set to medium
Actions
Copy link
 #2

Updated by Victor Julien over 6 years ago

  • Related to Feature #1194: Implement http_args keyword to match http arguments - query string or body added
Actions
Copy link
 #3

Updated by Jeff Lucovsky about 5 years ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions
Copy link
 #4

Updated by Victor Julien over 1 year ago

  • Related to Task #7336: Suricon 2024 brainstorm added
Actions
Copy link
 #5

Updated by Philippe Antoine 10 months ago

  • Related to Feature #6914: support inspecting http.uri or http.request_body added
Actions
Copy link
 #6

Updated by Juliana Fajardini Reichow 3 months ago

  • Related to Task #8123: Suricon 2025 Brainstorm added
Actions
Copy link
 #7

Updated by Juliana Fajardini Reichow 3 months ago

  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link
 #8

Updated by Juliana Fajardini Reichow 3 months ago

Still relevant as of Brainstorm 2025

Actions
Copy link
 #9

Updated by Philippe Antoine 2 months ago

http_client_body should url_decode

Actions
Copy link
 #10

Updated by Victor Julien 2 months ago

  • Subject changed from Buffers for field/value pairs in http_uri and http_client_body to rules: buffers for field/value pairs in http.uri and http.client_body
Actions
Copy link
 #11

Updated by Philippe Antoine 2 months ago

  • Status changed from New to Assigned
Actions
Copy link
 #12

Updated by Philippe Antoine 19 days ago

  • Status changed from Assigned to In Progress
Actions
Copy link
 #13

Updated by Philippe Antoine 5 days ago

  • Blocked by Bug #8256: detect: http.headers does not work on trailers when it is not fast_pattern added
Actions
Copy link

Also available in: Atom PDF