[Oisf-users] Matching on normalized HTTP headers - CRLF or LF?
Darren Spruell
phatbuckett at gmail.com
Sat Jun 20 09:32:04 UTC 2015
Handy. Thanks!
On Fri, Jun 19, 2015 at 10:58 AM, Darien Huss <dhuss at emergingthreats.net> wrote:
> This works in 2.0.8:
>
> pcre:"/\.com$/W";
>
> On Fri, Jun 19, 2015 at 2:39 AM, Darren Spruell <phatbuckett at gmail.com>
> wrote:
>>
>> For normalized HTTP headers, and with PCRE /W modifier for the
>> http_host buffer (for example), does matching end of buffer accept a
>> bare $ anchor or is the header's \r\n / 0x0d0a / CRLF left intact?
>>
>> Wondering for example if matching Host headers with the glob *.in
>> should be done as:
>>
>> pcre:"/\.in$/W";
>>
>> or:
>>
>> pcre:"/\.in\r$/W";
>>
>> --
>> Darren Spruell
>> phatbuckett at gmail.com
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>
>
--
Darren Spruell
phatbuckett at gmail.com
More information about the Oisf-users
mailing list