http_max_trailer_line

Snort minimum required version: v3.1.42.0

The http_max_trailer_line rule option is used to perform a range check on the longest trailer line present in an HTTP request or response.

Users can check whether the longest trailer line is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value.

Additionally, users can also use http_max_trailer_line to check that the length of the longest trailer line is between two numbers. This is done by setting the sign to <> or <=> and putting the minimum length to the left of the sign and the maximum length to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Valid http_max_trailer_line number values are 0 through 65535 (inclusive).

Note that you can also optionally add ,request to the rule option to only perform tests against the request trailer lines, even when examining the response.

Format:

Single value comparison:

http_max_trailer_line:[<|>|=|!|<=|>=]length[,request];

Range comparison:

http_max_trailer_line:min_length{<>|<=>}max_length[,request];

Examples:

# check that the longest HTTP trailer line is longer than 256 bytes
http_max_trailer_line:>256;

# check that the longest HTTP trailer line is longer than 2 bytes
# but shorter than 5 bytes
http_max_trailer_line:2<>5;

Snort 3 Rule Writing Guide

http_max_trailer_line

Format:

Single value comparison:

Range comparison:

Examples: