REQ-SIZE, RESP-SIZE, SIZE Condition

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Prefiltering HTTP Requests > Conditions >

REQ-SIZE, RESP-SIZE, SIZE Condition

The condition checks the full size (including headers) of an HTTP object.

Description

Conditions of the size group check the full (including headers) size of the HTTP request/response.

req-size

True if the size of the HTTP request matches the condition.

resp-size

True if the size of the HTTP response matches the condition.

size

True if the size of the HTTP request or one of the HTTP response matches the condition.

Format

<c name="req-size" op="<operation>" value="<compare pattern>" />
<c name="resp-size" op="<operation>" value="<compare pattern>" />
<c name="size" op="<operation>" value="<compare pattern>" />

The "name" attribute:

The name attribute specifies the name of the condition: name="req-size", name="resp-size" or name="size".

The "value" attribute:

The value="..." attribute specifies the number to which the size of the HTTP object is compared.

<number> or <number>B

Specifies the size in bytes

<number>K

Specifies the size in Kbytes

<number>M

Specifies the size in Mbytes

<number>G

Specifies the size in Gbytes

The "op" attribute:

The op="..." attribute specifies the type of comparison. Possible values:

eq or = or ==

True if the size is EQUAL TO the specified value

ne or != or <>

True if the size is NOT EQUAL TO the specified value

lt or <

True if the size is LESS THAN the specified value

gt or >

True if the size is GREATER THAN the specified value

le or <=

True if the size is LESS THAN OR EQUAL TO the specified value

ge or >=

True if the size is GREATER THAN OR EQUAL TO the specified value

Example

The rule stops processing any HTTP objects with the request size over 100KB or the response size over 1MB.

<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
 <comment>HTTP filter.</comment>
 <table name="main">
 
   <rule enabled="1">
     <comment>
       The rule stops processing HTTP objects with the request size
       over 100KB or the response size over 1MB.
     </comment>
     <match>
       <or>
         <c name="req-size" op=">" value="100K"/>
         <c name="resp-size" op="gt" value="1M"/>
       </or>
     </match>
     <action name="drop" />
   </rule>
 </table>
</filter>