Feature #7322
openability to negate the existence of fields via buffer negation
Description
While writing hunting signatures today, we noticed that it is not possible to negate the existence of a buffer which we think would be valuable in several signature ideas.
For example - if we want to write a signature that looks for a HTTP POST request that contains a Content-Length header with a valid value but the traffic indicates that nothing is sent, http.request_body; is empty but there is no way to negate that or detect that the buffer is not present. We tried using isdataat, bsize:0;, and pcre:"/^$/"; which all fail (presumably because there is just no buffer there in the first place).
Updated by Victor Julien about 1 month ago
I think this is a duplicate of #2224, which is in development currently. You can perhaps test and give feedback on https://github.com/OISF/suricata/pull/11906
Updated by Victor Julien about 1 month ago
- Is duplicate of Bug #2224: Negated http_* match returns false if buffer not populated added