[Oisf-users] Matching on normalized HTTP headers - CRLF or LF?
Darien Huss
dhuss at emergingthreats.net
Fri Jun 19 17:58:20 UTC 2015
This works in 2.0.8:
pcre:"/\.com$/W";
On Fri, Jun 19, 2015 at 2:39 AM, Darren Spruell <phatbuckett at gmail.com>
wrote:
> For normalized HTTP headers, and with PCRE /W modifier for the
> http_host buffer (for example), does matching end of buffer accept a
> bare $ anchor or is the header's \r\n / 0x0d0a / CRLF left intact?
>
> Wondering for example if matching Host headers with the glob *.in
> should be done as:
>
> pcre:"/\.in$/W";
>
> or:
>
> pcre:"/\.in\r$/W";
>
> --
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150619/a4b85220/attachment-0002.html>
More information about the Oisf-users
mailing list