Project

General

Profile

Actions
Copy link

Feature #2487

open

Buffers for field/value pairs in http_uri and http_client_body

Added by Jason Williams over 6 years ago. Updated over 6 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
medium
Difficulty:
medium
Label:

Description

We've found http_header_names to be one of our favorite new 4.0 buffers and would like to see if we could carry over this logic to other buffers.

for example, if the string in either the http_uri or the http_client_body was "field1=value1&field2=value2&field3=value3"

http_uri_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_uri_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

basically the same for client_body

http_client_body_(field_name); content:"|0d 0a|field1"; nocase; startswith; content:"field3|0d 0a 0d 0a|"; nocase; endswith;
http_client_body_(value_name); content:"|0d 0a|value1"; nocase; startswith; content:"value3|0d 0a 0d 0a|"; nocase; endswith;

Related issues 3 (3 open0 closed)

Related to Suricata - Feature #1194: Implement http_args keyword to match http arguments - query string or bodyNewCommunity TicketActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Task #7336: Suricon 2024 brainstormNewVictor JulienActions
Actions
Copy link

Also available in: Atom PDF