[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] http_cookie matches headers case-insensitive?
From: Victor Julien <lists () inliniac ! net>
Date: 2015-08-25 8:15:01
Message-ID: 55DC2405.1020708 () inliniac ! net
[Download RAW message or body]
On 08/24/2015 07:01 PM, Darren Spruell wrote:
> Hi,
>
> Hoping to verify that header matching on the http_cookie modifer and
> associated PCRE modifier (/C) can work regardless of the casing on the
> HTTP header; i.e. both of these examples are extracted for the target
> buffer correctly:
>
> set-cookie: bss=KTDhAUz38vWYQLy2SPcAAdm5c6AK; Version=1; Expires=Mon,
> 03-Nov-2014 05:45:33 GMT; Max-Age=600; Path=/
>
> Set-Cookie: bss=CMjA4YU38t73e2lVITBAAdnpRGcF; Version=1; Expires=Thu,
> 20-Aug-2015 10:18:56 GMT; Max-Age=600; Path=/
>
> I'm sure this must be the case but just want to validate.
Yep, it's case insensitive.
> When inspecting the buffer, is the header name present? Or does the
> buffer only include the header value? For example, would
> pcre:"/^bss=/C"; match the above samples correctly?
>
Value only. So your example should match.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic