http_header_test
The http_header_test rule option is used to perform various tests on a specific HTTP header field. The tests that can be performed in this option include a test to see whether the header field's value is numeric or not, a check to see whether a header field's value is within a given range, and a check to see whether a given field is absent.
This rule option takes a few different arguments, one of which is the name of the header field to run the tests against. Specifying this field is done with the field argument followed by the name of the field we want to test. The subsequent arguments are the specific tests to run against that particular field, and rule writers can specify multiple tests at once by separating them with commas.
As mentioned above, there are three tests that can be performed on a given header. First is the numeric test to check if a given field is numeric or not. This argument requires specifying either true or false after it to look for numeric headers and non-numeric headers, respectively.
Next is the check argument, which is used to check a numeric header against a given number range. This range is specified after check, and the format for specifying a range is described below.
Last is the absent argument, which simply checks if a given field is absent.
Note that you can also optionally add ,request to the rule option to only perform tests against the request headers, even when examining the response.
Format:
http_header_test:field header_name[,numeric {true|false}][,check range][,absent][,request];A range can either be a single value comparison:
[<|>|=|!|<=|>=]numberOr it can be a range between two integer values:
min_number{<>|<=>}max_numberExamples:
# check that the Content-Length header value is numeric
# and that its value is >40000000
http_header_test:field content-length,numeric true,check >40000000;
# check that the Content-Length header value is not numeric
http_header_test:field content-length,numeric false;
# check that the User-Agent field is absent
http_header_test:field user-agent,absent;