Feature #4089
open
rules: Flexible format transform
Added by Jeff Lucovsky almost 5 years ago.
Updated 10 months ago.
Description
A transform that could combine existing sticky buffer values according to a format string in a transform would provide a power facility to shift rules based on specific hosts/path combinations into a dataset and hence, craft a rule like the following:
alert http any any -> any any (format("{}/{}", http.host, http.uri); dataset: isset, url-bl;)
The values for http.host and http.uri are combined into a string, eg., http://somehost/some/path/that/is/suspicious.
The format transform generates the string and then it's checked against a URL blacklist.
Related issues
1 (1 open — 0 closed)
Instead of "format("{}/{}", http.host, http.uri)" --> format:"{}/{}, http.host, http.uri"
Or perhaps with clearer intent:
http.host:"hostvar"; http.uri:"urivar";format:"{}/{}, hostvar, urivar";
Or maybe
alert http any any -> any any (http.host:sticky:http_host;content:"a";format:"{}/{}, sticky:http_host";)
- Related to Task #4097: Suricon 2020 brainstorm added
- Subject changed from Flexible format transform to rules: Flexible format transform
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Also available in: Atom
PDF