Actions
Feature #4089
openrules: Flexible format transform
Effort:
medium
Difficulty:
medium
Label:
Description
A transform that could combine existing sticky buffer values according to a format string in a transform would provide a power facility to shift rules based on specific hosts/path combinations into a dataset and hence, craft a rule like the following:
alert http any any -> any any (format("{}/{}", http.host, http.uri); dataset: isset, url-bl;)
The values for http.host and http.uri are combined into a string, eg., http://somehost/some/path/that/is/suspicious.
The format transform generates the string and then it's checked against a URL blacklist.
Updated by Jeff Lucovsky over 3 years ago
Instead of "format("{}/{}", http.host, http.uri)" --> format:"{}/{}, http.host, http.uri"
Or perhaps with clearer intent:
http.host:"hostvar"; http.uri:"urivar";format:"{}/{}, hostvar, urivar";
Or maybe
alert http any any -> any any (http.host:sticky:http_host;content:"a";format:"{}/{}, sticky:http_host";)Updated by Jeff Lucovsky over 3 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
Updated by Victor Julien over 3 years ago
- Subject changed from Flexible format transform to rules: Flexible format transform
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions