<< Click to Display Table of Contents >> Navigation: Event and Object Analysis > Capture Results Filtering > Prefiltering HTTP Requests > Conditions > REQ-HEADER, RESP-HEADER Condition |
Checks the value of one of HTTP request or response headers.
Description
This condition checks if the HTTP request header value contains a substring or matches a wildcard pattern/regular expression.
Format
<c name="req-header" headername="..." op="..." value="..." />
or
<c name="resp-header" headername="..." op="..." value="..." />
The "name" attribute:
The name attribute specifies the name of the condition - name="req-header" or name="resp-header".
req-header
Checks HTTP request headers
resp-header
Checks HTTP response headers
The "headername" attribute:
The headername="..." attribute specifies the name of the header to check.
The "headername" attribute:
Specifies the string the value is compared to or the pattern to check value="...".
The "op" attribute:
The op="..." attribute specifies the type of comparison. Possible values:
eq or = or ==
True if the header value CONTAINS the specified value
ne or != or <>
True if the header value DOES NOT CONTAIN the specified value
wc or wildcard
True if the header value matches the specified wildcard pattern
re or regex or regexp
True if the header value matches the specified regular expression
Operations available for Content-Length header are listed below:
eq or = or ==
True if the header value CONTAINS the specified value
ne or != or <>
True if the header value DOES NOT CONTAIN the specified value
lt or <
True if the size is LESS THAN the specified value
gt or >
True if the size is GREATER THAN the specified value
le or <=
True if the size is LESS THAN OR EQUAL TO the specified value
ge or >=
True if the size is GREATER THAN OR EQUAL TO the specified value
These operations treat the header value as a NUMBER, not a string.
The "value" attribute:
The value="..." attribute specifies the value to search for (a string, a wildcard or a regular expression).
Warning!
For Content-Length header, provide a numeric value for the comparison.
The number should be specified as:
<number> or <number>B
Specifies the size in bytes.
<number>K
Specifies the size in Kbytes.
<number>M
Specifies the size in Mbytes.
<number>G
Specifies the size in Gbytes.
Example
Ignore requests if the Content-Length is more than 100K. Accept requests to win.mail.ru and *.yandex.ru.
<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
<comment>HTTP filter.</comment>
<table name="main">
<rule enabled="1">
<comment>
Ignore requests where Content-Length is more than 100K.
</comment>
<match>
<c name="req-header"
headername="Content-Length"
op=">" value="100K" />
</match>
<action name="drop" />
</rule>
<rule enabled="1">
<comment>
Accept requests to win.mail.ru and *.yandex.ru.
</comment>
<match>
<or>
<c name="req-header"
headername="Host" op="eq"
value="win.mail.ru" />
<c name="req-header"
headername="Host"
op="wc"
value="*.yandex.ru" />
</or>
</match>
<action name="accept" />
</rule>
</table>
</filter>