Feature #2487
open
rules: buffers for field/value pairs in http.uri and http.client_body
Added by Jason Williams almost 8 years ago.
Updated 19 days ago.
Description
We've found http_header_names to be one of our favorite new 4.0 buffers and would like to see if we could carry over this logic to other buffers.
for example, if the string in either the http_uri or the http_client_body was "field1=value1&field2=value2&field3=value3"
http_uri_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_uri_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;
basically the same for client_body
http_client_body_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_client_body_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;
Related issues
6 (6 open — 0 closed)
- Effort set to medium
- Difficulty set to medium
- Related to Feature #1194: Implement http_args keyword to match http arguments - query string or body added
- Related to Task #4097: Suricon 2020 brainstorm added
- Related to Task #7336: Suricon 2024 brainstorm added
- Related to Feature #6914: support inspecting http.uri or http.request_body added
- Related to Task #8123: Suricon 2025 Brainstorm added
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 9.0.0-beta1
Still relevant as of Brainstorm 2025
http_client_body should url_decode
- Subject changed from Buffers for field/value pairs in http_uri and http_client_body to rules: buffers for field/value pairs in http.uri and http.client_body
- Status changed from New to Assigned
- Status changed from Assigned to In Progress
- Blocked by Bug #8256: detect: http.headers does not work on trailers when it is not fast_pattern added
Also available in: Atom
PDF