Project

General

Profile

Actions

Feature #5044

open

rules: keyword for "count" of http_header_names

Added by Brandon Murphy almost 3 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I've recently written a few "terse requests" style which leverage the http.header_names buffer to ensure there are very few headers. To accomplish this I often find myself negating specific headers to ensure there are only a few of them in the request. However, I believe the ability to "count" the number of headers would be a better solution. Every other solution I was able to think of has it's own disadvantages.

http.header_names; count:<3;

I'm not sure if any other keywords would benefit from such logic.


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7211: detect/integers: support a count argument for array of integersNewPhilippe AntoineActions
Actions #1

Updated by Victor Julien almost 3 years ago

  • Subject changed from keyword for "count" of http_header_names to rules: keyword for "count" of http_header_names

Making a dedicated keyword would be easy. I'm just trying to think if there is a more generic way we could expose something like this. The suggested notation would act on the contents of the http.header_names buffer, which is a single buffer. I suppose we could do something like http.header_names; content:"|0d 0a|"; count:<3;, where the count modifier would tell the matching to engine count the number of matches of content:"|0d 0a|"; and return a match if the count condition is reached. I worry about the performance of this, but I guess its possible.

Actions #2

Updated by Brandon Murphy almost 3 years ago

I like that idea, just had a use case today for the number of url-encoded elements in a http.request_body.

http.request_body; content:"&"; count:<5;
would work well.
Actions #3

Updated by Philippe Antoine 6 months ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #4

Updated by Philippe Antoine 17 days ago

  • Related to Feature #7211: detect/integers: support a count argument for array of integers added
Actions

Also available in: Atom PDF