http_num_trailers

The http_num_trailers rule option is used to compare the number of HTTP trailers present in an HTTP packet against a specific value.

Users can check whether the total number of trailers present is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value.

Additionally, users can also use http_num_trailers to look for a count value that is between two numbers. This is done by setting the sign to <> or <=> and putting the minimum count to the left of the sign and the maximum count to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Valid http_num_trailers number values are 0 through 65535 (inclusive).

Format:

Single value comparison:

http_num_trailers:[<|>|=|!|<=|>=]count;

Range comparison:

http_num_trailers:min_count{<>|<=>}max_count;

Examples:

# Look for an HTTP packet containing more than 100 trailers
http_num_trailers:>100;

# Look for an HTTP packet containing exactly 100 trailers
http_num_trailers:100;

# Look for an HTTP packet containing somewhere between
# 50 and 100 trailers (exclusive)
http_num_trailers:50<>100;

Snort 3 Rule Writing Guide

http_num_trailers

Format:

Single value comparison:

Range comparison:

Examples: