[Oisf-users] http_cookie matches headers case-insensitive?

Darren Spruell phatbuckett at gmail.com
Mon Aug 24 17:01:33 UTC 2015


Hoping to verify that header matching on the http_cookie modifer and
associated PCRE modifier (/C) can work regardless of the casing on the
HTTP header; i.e. both of these examples are extracted for the target
buffer correctly:

set-cookie: bss=KTDhAUz38vWYQLy2SPcAAdm5c6AK; Version=1; Expires=Mon,
03-Nov-2014 05:45:33 GMT; Max-Age=600; Path=/

Set-Cookie: bss=CMjA4YU38t73e2lVITBAAdnpRGcF; Version=1; Expires=Thu,
20-Aug-2015 10:18:56 GMT; Max-Age=600; Path=/

I'm sure this must be the case but just want to validate.

When inspecting the buffer, is the header name present? Or does the
buffer only include the header value? For example, would
pcre:"/^bss=/C"; match the above samples correctly?

Darren Spruell
phatbuckett at gmail.com

More information about the Oisf-users mailing list