Feature #2332
closedSupport for common http response headers - Location and Server
Description
It would be useful to have these as sticky buffers
Given the following headers...
HTTP/1.1 302 Moved Temporarily
Date: Mon, 01 Dec 2017 14:19:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Location: https://www.awebsiteforyou.cf/This/isntreal.aspx?flag=1
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
If we wanted to write a rule on the junk tld in location, we currently have to do...
content:"Location|3a 20|"; http_header; pcre:"/^[^\r\n]+\.cf\//HRi";
Would be nice to do something like
http_location; content:".cf/";
Also, it would be nice to have the server as a buffer as we have to rely on http_header here as well.
content:"|0d 0a|Server|3a 20|Apache"; http_header;
http_server; content:"Apache"; depth:6;
Updated by Andreas Herz almost 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien over 5 years ago
- Assignee changed from Victor Julien to Jeff Lucovsky
- Target version changed from TBD to 5.0beta1
See for reference https://github.com/OISF/suricata/pull/3632
Keyword names would be 'http.server' and http.location'.
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed