Feature #5044
openrules: keyword for "count" of http_header_names
Description
I've recently written a few "terse requests" style which leverage the http.header_names buffer to ensure there are very few headers. To accomplish this I often find myself negating specific headers to ensure there are only a few of them in the request. However, I believe the ability to "count" the number of headers would be a better solution. Every other solution I was able to think of has it's own disadvantages.
http.header_names; count:<3;
I'm not sure if any other keywords would benefit from such logic.
Updated by Victor Julien about 2 years ago
- Subject changed from keyword for "count" of http_header_names to rules: keyword for "count" of http_header_names
Making a dedicated keyword would be easy. I'm just trying to think if there is a more generic way we could expose something like this. The suggested notation would act on the contents of the http.header_names buffer, which is a single buffer. I suppose we could do something like http.header_names; content:"|0d 0a|"; count:<3;, where the count modifier would tell the matching to engine count the number of matches of content:"|0d 0a|"; and return a match if the count condition is reached. I worry about the performance of this, but I guess its possible.
Updated by Brandon Murphy about 2 years ago
I like that idea, just had a use case today for the number of url-encoded elements in a http.request_body.
http.request_body; content:"&"; count:<5;would work well.