[Oisf-users] http_cookie matches headers case-insensitive?

Victor Julien lists at inliniac.net
Tue Aug 25 08:15:01 UTC 2015

On 08/24/2015 07:01 PM, Darren Spruell wrote:
> Hi,
> Hoping to verify that header matching on the http_cookie modifer and
> associated PCRE modifier (/C) can work regardless of the casing on the
> HTTP header; i.e. both of these examples are extracted for the target
> buffer correctly:
> set-cookie: bss=KTDhAUz38vWYQLy2SPcAAdm5c6AK; Version=1; Expires=Mon,
> 03-Nov-2014 05:45:33 GMT; Max-Age=600; Path=/
> Set-Cookie: bss=CMjA4YU38t73e2lVITBAAdnpRGcF; Version=1; Expires=Thu,
> 20-Aug-2015 10:18:56 GMT; Max-Age=600; Path=/
> I'm sure this must be the case but just want to validate.

Yep, it's case insensitive.

> When inspecting the buffer, is the header name present? Or does the
> buffer only include the header value? For example, would
> pcre:"/^bss=/C"; match the above samples correctly?

Value only. So your example should match.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list