Project

General

Profile

Actions
Copy link

Feature #2487

open

rules: buffers for field/value pairs in http.uri and http.client_body

Added by Jason Williams over 7 years ago. Updated 10 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Effort:
medium
Difficulty:
medium
Label:

Description

We've found http_header_names to be one of our favorite new 4.0 buffers and would like to see if we could carry over this logic to other buffers.

for example, if the string in either the http_uri or the http_client_body was "field1=value1&field2=value2&field3=value3"

http_uri_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_uri_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

basically the same for client_body

http_client_body_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_client_body_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

Related issues 5 (5 open0 closed)

Related to Suricata - Feature #1194: Implement http_args keyword to match http arguments - query string or bodyNewCommunity TicketActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Task #7336: Suricon 2024 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #6914: support inspecting http.uri or http.request_bodyNewOISF DevActions
Related to Suricata - Task #8123: Suricon 2025 BrainstormAssignedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF