<< Click to Display Table of Contents >> Navigation: Event and Object Analysis > Capture Results Filtering > Prefiltering HTTP Requests > Conditions > REQ-SIZE, RESP-SIZE, SIZE Condition |
The condition checks the full size (including headers) of an HTTP object.
Description
Conditions of the size group check the full (including headers) size of the HTTP request/response.
req-size
True if the size of the HTTP request matches the condition.
resp-size
True if the size of the HTTP response matches the condition.
size
True if the size of the HTTP request or one of the HTTP response matches the condition.
Format
<c name="req-size" op="<operation>" value="<compare pattern>" />
<c name="resp-size" op="<operation>" value="<compare pattern>" />
<c name="size" op="<operation>" value="<compare pattern>" />
The "name" attribute:
The name attribute specifies the name of the condition: name="req-size", name="resp-size" or name="size".
The "value" attribute:
The value="..." attribute specifies the number to which the size of the HTTP object is compared.
<number> or <number>B
Specifies the size in bytes
<number>K
Specifies the size in Kbytes
<number>M
Specifies the size in Mbytes
<number>G
Specifies the size in Gbytes
The "op" attribute:
The op="..." attribute specifies the type of comparison. Possible values:
eq or = or ==
True if the size is EQUAL TO the specified value
ne or != or <>
True if the size is NOT EQUAL TO the specified value
lt or <
True if the size is LESS THAN the specified value
gt or >
True if the size is GREATER THAN the specified value
le or <=
True if the size is LESS THAN OR EQUAL TO the specified value
ge or >=
True if the size is GREATER THAN OR EQUAL TO the specified value
Example
The rule stops processing any HTTP objects with the request size over 100KB or the response size over 1MB.
<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
<comment>HTTP filter.</comment>
<table name="main">
<rule enabled="1">
<comment>
The rule stops processing HTTP objects with the request size
over 100KB or the response size over 1MB.
</comment>
<match>
<or>
<c name="req-size" op=">" value="100K"/>
<c name="resp-size" op="gt" value="1M"/>
</or>
</match>
<action name="drop" />
</rule>
</table>
</filter>