Feature #1194
open
Implement http_args keyword to match http arguments - query string or body
Added by Anoop Saldanha over 10 years ago.
Updated over 5 years ago.
Description
We can use a http_args keyword that would match on the "name = value"
pairs of http arguments from the query string or from the body.
Related issues
2 (2 open — 0 closed)
The idea is to make this a sticky buffer. Does that sound fine?
Currently all the http keywords are modifiers. Would that be an
issue with regard to consistency on how other http keywords behave?
Can you give some rule examples?
alert tcp any any -> any any (http_args; content:"argument"; sid:1;)
alert tcp any any -> any any (http_args; content:"argument"; pcre:"/argument1"/; sid:1;)
Similarly, other content keywords can be used.
To use other modifier keywords or sticky buffer, one would have to use pkt_data.
alert tcp any any -> any any (http:args; content:"argument"; pcre:"/argument1/";
pkt_data; content:"uri"; http_uri; sid:1;)
- Assignee changed from Anoop Saldanha to OISF Dev
- Assignee changed from OISF Dev to Anonymous
- Priority changed from Low to Normal
- Effort set to medium
- Difficulty set to low
- Assignee set to Community Ticket
- Related to Feature #2487: Buffers for field/value pairs in http_uri and http_client_body added
- Related to Task #7336: Suricon 2024 brainstorm added
Also available in: Atom
PDF