http_num_headers

The http_num_headers rule option is used to compare the number of HTTP headers present in an HTTP packet against a specific value.

Users can check whether the total number of headers present is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value.

Additionally, users can also use http_num_headers to look for a count value that is between two numbers. This is done by setting the sign to <> or <=> and putting the minimum count to the left of the sign and the maximum count to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Valid http_num_headers number values are 0 through 65535 (inclusive).

Note that you can also optionally add ,request to the rule option to only count the number of request headers, even when examining the response.

Format:

Single value comparison:

http_num_headers:[<|>|=|!|<=|>=]count[,request];

Range comparison:

http_num_headers:min_count{<>|<=>}max_count[,request];

Examples:

# Look for an HTTP packet containing more than 100 headers
http_num_headers:>100;

# Look for an HTTP packet containing exactly 100 headers
http_num_headers:100;

# Look for an HTTP packet containing somewhere between
# 50 and 100 headers (exclusive)
http_num_headers:50<>100;

Snort 3 Rule Writing Guide

http_num_headers

Format:

Single value comparison:

Range comparison:

Examples: