Feature #6831
Updated by Brandon Murphy 8 months ago
Use Case: Consider the following HTTP request. I would like to write detection logic that ensures the 32 byte string that occurs in the URI is also found within the Cookie Value. <pre> GET /example/path?foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://example.com Cookie: foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G </pre> reference: https://forum.suricata.io/t/byte-extract-byte-test-string-limits/4511/3 Current and Attempted Methods: Currently the only way (with PCRE capture groups)to accomplish this detection logic has many limitations/considerations 1) within a single buffer (http.start works in this example) - this won't work with HTTP/2 traffic 2) via capture groups within PCRE. This can be pretty costly. I attempted to use the byte_extract/byte_test, which did work, but was limited to 20 byte as noted within the discourse convo. the keyword performance of the byte_extract/byte_test combo was about half as many ticks as using the PCRE capture groups. Proposed Solution: I won't bother with suggesting how this should be solved, but more details of the use case are required please let me know. P.S. - I'm not sure what to "call" this request, so feel free to change the subject to more accurately reflect whatever this is.