Feature #2487
openrules: buffers for field/value pairs in http.uri and http.client_body
Description
We've found http_header_names to be one of our favorite new 4.0 buffers and would like to see if we could carry over this logic to other buffers.
for example, if the string in either the http_uri or the http_client_body was "field1=value1&field2=value2&field3=value3"
http_uri_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;http_uri_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;
basically the same for client_body
http_client_body_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;http_client_body_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;
JI Updated by Jason Ish almost 8 years ago
- Effort set to medium
- Difficulty set to medium
VJ Updated by Victor Julien over 6 years ago
- Related to Feature #1194: Implement http_args keyword to match http arguments - query string or body added
JL Updated by Jeff Lucovsky over 5 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
VJ Updated by Victor Julien over 1 year ago
- Related to Task #7336: Suricon 2024 brainstorm added
PA Updated by Philippe Antoine 12 months ago
- Related to Feature #6914: support inspecting http.uri or http.request_body added
JF Updated by Juliana Fajardini Reichow 5 months ago
- Related to Task #8123: Suricon 2025 Brainstorm added
JF Updated by Juliana Fajardini Reichow 5 months ago
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 9.0.0-beta1
JF Updated by Juliana Fajardini Reichow 5 months ago
Still relevant as of Brainstorm 2025
PA Updated by Philippe Antoine 5 months ago
http_client_body should url_decode
VJ Updated by Victor Julien 5 months ago
- Subject changed from Buffers for field/value pairs in http_uri and http_client_body to rules: buffers for field/value pairs in http.uri and http.client_body
PA Updated by Philippe Antoine 5 months ago
- Status changed from New to Assigned
PA Updated by Philippe Antoine 3 months ago
- Status changed from Assigned to In Progress
PA Updated by Philippe Antoine 3 months ago
- Blocked by Bug #8256: detect: http.headers does not work on trailers when it is not fast_pattern added
VJ Updated by Victor Julien 22 days ago
Just FYI when following the in review PR chain at some point it drops this work and is only about #8256 it seems.
PA Updated by Philippe Antoine 22 days ago
Victor Julien wrote in #note-14:
Just FYI when following the in review PR chain at some point it drops this work and is only about #8256 it seems.
Yes, this ticket is blocked by #8256
As this ticket requires a multi-progress keyword, and http.headers was pointed out as having this, but http.headers multi-progress support is buggy
So we fix first multi-progress for the existing keyword, then we add a new keyword with a right multi-progress keyword