Feature #735
closedIntroduce content_len keyword
Description
Add support for the content_len keyword.
Can be used as -
conten_len:<op>,<no>;
where,
op - >, <, >=, <=, = ,!=,
no - unsigned integer
The content_len can be modified by the http_* modifiers.
For example,
content:"index"; http_uri; content_len:=,8; http_uri;
If no modifier is used, it would match on the packet payload length(which is the same as dsize)
Suggestions, comments?
Updated by Victor Julien about 11 years ago
I think the syntax should probably be more like urilen, filesize and dsize:
dsize:1; is exact match
urilen:5<>10; is a range
Like the concept. Think it makes sense to have a generic match for this.
Updated by Anoop Saldanha about 11 years ago
Have almost completed this work, but I've used the operators like the way I've specified. Felt it was neater if one wants to specify equal_to or not_equal_to.
Will change it to the dsize format if needed.
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Target version changed from TBD to 2.0rc2
Updated by Victor Julien about 10 years ago
- Target version changed from 2.0rc2 to 3.0RC2
Updated by Victor Julien almost 9 years ago
- Target version changed from 3.0RC2 to TBD
Updated by Andreas Herz over 7 years ago
- Assignee changed from Anoop Saldanha to OISF Dev
Updated by Victor Julien over 6 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
Updated by Victor Julien over 6 years ago
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 70
Updated by Victor Julien about 6 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 4.1beta1
https://github.com/OISF/suricata/pull/3232 implements this under a different name: 'bsize'.