Actions
Feature #7322
closedability to negate the existence of fields via buffer negation
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:
Description
While writing hunting signatures today, we noticed that it is not possible to negate the existence of a buffer which we think would be valuable in several signature ideas.
For example - if we want to write a signature that looks for a HTTP POST request that contains a Content-Length header with a valid value but the traffic indicates that nothing is sent, http.request_body; is empty but there is no way to negate that or detect that the buffer is not present. We tried using isdataat, bsize:0;, and pcre:"/^$/"; which all fail (presumably because there is just no buffer there in the first place).
Actions