[Oisf-users] Suricata 1.4 http keywords in rule options, how does matching occur for http_header?
rmkml
rmkml at yahoo.fr
Fri Jan 25 16:28:18 UTC 2013
Hi Will and Peter,
Nice feature!
and today it's a good day for writing to santa claus:
Please add a new feature for decoding server side html ? (http_decode ?)
S_HTTP->C: ... file_data; content:"notes:/"; nocase; http_decode; distance:0;
automaticaly decoding notes:/ or notes%3A/ or notes%3A%2F or %6E%6F%74%65%73%3A%2F or %256E%256F%2574%2565%2573%253A%252F...
Best Regards
Rmkml
http://twitter.com/rmkml
On Fri, 25 Jan 2013, Peter Manev wrote:
>
>
> On Fri, Jan 25, 2013 at 4:23 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
> While we are talking about having len and endswith would be really
> useful for at least http_uri, http_user_agent, and http_host_header.
> The first for performing exact matches i.e.
>
> content:"Mozilla"; http_user_agent; http_user_agent_len:7;
>
> to match
>
> User-Agent: Mozilla\r\n
>
> or
>
> content:".exe"; http_uri; endswith;
>
> to match
>
> GET /blah/blat/foo.exe HTTP/1.1\r\n
>
>
> etc... Want a feature request? :)
>
> yes !
>
>
>
More information about the Oisf-users
mailing list