Suricata

While writing hunting signatures today, we noticed that it is not possible to negate the existence of a buffer which we think would be valuable in several signature ideas.

For example - if we want to write a signature that looks for a HTTP POST request that contains a Content-Length header with a valid value but the traffic indicates that nothing is sent, http.request_body; is empty but there is no way to negate that or detect that the buffer is not present. We tried using isdataat, bsize:0;, and pcre:"/^$/"; which all fail (presumably because there is just no buffer there in the first place).