REQ-HEADER, RESP-HEADER Condition

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Prefiltering HTTP Requests > Conditions >

REQ-HEADER, RESP-HEADER Condition

Checks the value of one of HTTP request or response headers.

Description

This condition checks if the HTTP request header value contains a substring or matches a wildcard pattern/regular expression.

Format

<c name="req-header" headername="..." op="..." value="..." />

or

<c name="resp-header" headername="..." op="..." value="..." />

The "name" attribute:

The name attribute specifies the name of the condition - name="req-header" or name="resp-header".

req-header

Checks HTTP request headers

resp-header

Checks HTTP response headers

The "headername" attribute:

The headername="..." attribute specifies the name of the header to check.

The "headername" attribute:

Specifies the string the value is compared to or the pattern to check value="...".

The "op" attribute:

The op="..." attribute specifies the type of comparison. Possible values:

eq or = or ==

True if the header value CONTAINS the specified value

ne or != or <>

True if the header value DOES NOT CONTAIN the specified value

wc or wildcard

True if the header value matches the specified wildcard pattern

re or regex or regexp

True if the header value matches the specified regular expression

Operations available for Content-Length header are listed below:

eq or = or ==

True if the header value CONTAINS the specified value

ne or != or <>

True if the header value DOES NOT CONTAIN the specified value

lt or <

True if the size is LESS THAN the specified value

gt or >

True if the size is GREATER THAN the specified value

le or <=

True if the size is LESS THAN OR EQUAL TO the specified value

ge or >=

True if the size is GREATER THAN OR EQUAL TO the specified value

These operations treat the header value as a NUMBER, not a string.

The "value" attribute:

The value="..." attribute specifies the value to search for (a string, a wildcard or a regular expression).

Warning!
For Content-Length header, provide a numeric value for the comparison.

The number should be specified as:

<number> or <number>B

Specifies the size in bytes.

<number>K

Specifies the size in Kbytes.

<number>M

Specifies the size in Mbytes.

<number>G

Specifies the size in Gbytes.

Example

Ignore requests if the Content-Length is more than 100K. Accept requests to win.mail.ru and *.yandex.ru.

<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
 <comment>HTTP filter.</comment>
 <table name="main">
 
   <rule enabled="1">
     <comment>
       Ignore requests where Content-Length is more than 100K.
     </comment>
     <match>
       <c name="req-header"
          headername="Content-Length"
          op=">" value="100K" />
     </match>
     <action name="drop" />
   </rule>
 
   <rule enabled="1">
     <comment>
       Accept requests to win.mail.ru and *.yandex.ru.
     </comment>
     <match>
       <or>
         <c name="req-header"
            headername="Host" op="eq"
            value="win.mail.ru" />
         <c name="req-header"
            headername="Host"
            op="wc"
            value="*.yandex.ru" />
       </or>
     </match>
     <action name="accept" />
   </rule>
 </table>
</filter>