Project

General

Profile

Actions

Feature #5044

open

rules: keyword for "count" of http_header_names

Added by Brandon Murphy almost 3 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I've recently written a few "terse requests" style which leverage the http.header_names buffer to ensure there are very few headers. To accomplish this I often find myself negating specific headers to ensure there are only a few of them in the request. However, I believe the ability to "count" the number of headers would be a better solution. Every other solution I was able to think of has it's own disadvantages.

http.header_names; count:<3;

I'm not sure if any other keywords would benefit from such logic.


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7211: detect/integers: support a count argument for array of integersNewPhilippe AntoineActions
Actions

Also available in: Atom PDF