[Oisf-devel] http buffers

Victor Julien lists at inliniac.net
Tue Feb 14 11:52:48 UTC 2012


Noticed quite a few ET rules match completely in HTTP buffers (uri,
headers, etc) except for the request and/or response protocol.

What about adding http_proto (http request proto) and http_stat_proto
(http response proto) in Suricata? Any use for that?

They would contain "HTTP/1.1" or "HTTP/1.0".

The HTTP/0.9 case is interesting, as it commits this field. We could
forge it, so you can match on "HTTP/0.9". Thoughts?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list