Feature #6439
closedNew Transformation: to_lowercase
Description
Hoping to get a to_lowercase transformation that can be combined with others. The use case is to allow for the "normalization" of a mixed case URL to lowercase. This would allow the url to be obfuscated and account for multiple variations of casing within the field.
http.uri; to_lowercase; to_sha256; content:"<sha256 digest>";
Updated by Victor Julien 6 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
- Target version changed from TBD to 8.0.0-beta1
@Brandon Murphy would you see value in a "to_uppercase" as well?
@Jeff Lucovsky we can probably target 7 as well, as there should be no side effects of adding this.
Updated by Brandon Murphy 6 months ago
@Brandon Murphy would you see value in a "to_uppercase" as well?
I cannot currently think of any use cases for that. If it's only a trivial amount of additional work, then why not include it? I'd much rather have it and not need it than the other way around.
Updated by Jeff Lucovsky 6 months ago
- Status changed from Assigned to In Progress
Updated by Brandon Murphy 6 months ago
just wanting to mention, this transformation could be used to address case differences between HTTP/1 and HTTP/2 assuming content matches can be updated/change to reflect the transformation behavior.
Updated by Jeff Lucovsky 6 months ago
@Brandon Murphy Here's a draft PR for early feedback: https://github.com/OISF/suricata/pull/9761
Updated by Jeff Lucovsky 5 months ago
- Status changed from In Progress to Closed
Updated by Victor Julien 5 months ago
- Status changed from Closed to Resolved
- Label Needs backport to 7.0 added