http_version_match

The http_version_match rule option is used to match the HTTP version of an HTTP message against one from a list of versions. This option will check the version present in an HTTP request or status line and use that for comparision.

Valid values to include in the version list include 1.0, 1.1, 2.0, 3.0, 0.9, malformed, and other. The list of versions should be wrapped in double quotes, and specifying multiple versions is done by separating each one with a space character.

The first five values mentioned above are used to match specific version numbers, while a malformed version is any version present in the request or status line that is not formatted like [0-9].[0-9] (i.e., single digit followed by a dot, followed by another single digit). An example of a malformed HTTP version would be 1.a.

A version value that is other is a value that is formatted correctly but is not one of the five specific version values listed above. For example, an HTTP message that specifies HTTP version 8.4 would be considered other.

Additionally, HTTP messages that falsely claim to be one version via their request or status lines are also considered other. For example, an HTTP request that follows the 1.1 format but has 0.9 in its request line would be other.

Note that you can also optionally add ,request to the rule option to match only against the version found in the request message, even when examining the response.

Format:

http_version_match:"version[ version]…"[,request];

Examples:

http_version_match:"0.9 1.0 1.1";

http_version_match:"2.0 3.0";

http_version_match:"other";

http_version_match:"malformed";