Project

General

Profile

Actions
Copy link

Feature #2487

open

Buffers for field/value pairs in http_uri and http_client_body

Added by Jason Williams about 6 years ago. Updated almost 6 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
medium
Difficulty:
medium
Label:

Description

We've found http_header_names to be one of our favorite new 4.0 buffers and would like to see if we could carry over this logic to other buffers.

for example, if the string in either the http_uri or the http_client_body was "field1=value1&field2=value2&field3=value3"

http_uri_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_uri_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

basically the same for client_body

http_client_body_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_client_body_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

Related issues 2 (2 open0 closed)

Related to Suricata - Feature #1194: Implement http_args keyword to match http arguments - query string or bodyNewCommunity TicketActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Jason Ish almost 6 years ago

  • Effort set to medium
  • Difficulty set to medium
Actions
Copy link
 #2

Updated by Victor Julien over 4 years ago

  • Related to Feature #1194: Implement http_args keyword to match http arguments - query string or body added
Actions
Copy link
 #3

Updated by Jeff Lucovsky over 3 years ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions
Copy link

Also available in: Atom PDF