[Oisf-devel] http buffers
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Feb 14 12:12:50 UTC 2012
On 14/02/12 11:52, Victor Julien wrote:
> Noticed quite a few ET rules match completely in HTTP buffers (uri,
> headers, etc) except for the request and/or response protocol.
>
> What about adding http_proto (http request proto) and http_stat_proto
> (http response proto) in Suricata? Any use for that?
>
> They would contain "HTTP/1.1" or "HTTP/1.0".
Sounds useful!
What about other common headers such as "Host:" and "Referer:"? Would we
get a performance boost?
> The HTTP/0.9 case is interesting, as it commits this field. We could
> forge it, so you can match on "HTTP/0.9". Thoughts?
You mean "omits" rather than "commits" I think? Forging it makes sense,
I guess.
One thing I wondered about the HTTP engine is would it be possible to
have single rule check both request and response headers, or even
request headers and response body, or will we need to use flowbits?
e.g. I have a couple of rules using flowbits that look for an executable
downloaded from "/" without a referrer.
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list