Project

General

Custom queries

Profile

Actions
Copy link

Feature #5044

open

rules: keyword for "count" of http_header_names

Added by Brandon Murphy over 3 years ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

I've recently written a few "terse requests" style which leverage the http.header_names buffer to ensure there are very few headers. To accomplish this I often find myself negating specific headers to ensure there are only a few of them in the request. However, I believe the ability to "count" the number of headers would be a better solution. Every other solution I was able to think of has it's own disadvantages.

http.header_names; count:<3;

I'm not sure if any other keywords would benefit from such logic.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7211: detect/integers: support a count argument for array of integersNewPhilippe AntoineActions
#1

Updated by Victor Julien over 3 years ago

  • Subject changed from keyword for "count" of http_header_names to rules: keyword for "count" of http_header_names
#3

Updated by Philippe Antoine about 1 year ago

  • Assignee set to OISF Dev
  • Target version set to TBD
#4

Updated by Philippe Antoine 6 months ago

  • Related to Feature #7211: detect/integers: support a count argument for array of integers added
#5

Updated by Philippe Antoine 4 months ago

  • Assignee changed from OISF Dev to Philippe Antoine
#6

Updated by Philippe Antoine 3 months ago

  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link

Also available in: Atom PDF