Rule hits can be extracted from HTTP responses in two ways:
- by defining boundaries
- by applying a regular expression
Defining boundaries
When a rule defines boundaries, any occurrence of a left boundary within an HTTP response marks the beginning of a rule hit.
From this point onward within the HTTP response, the first occurrence of a right boundary marks the end of the rule hit.
Left boundaries can be defined in three ways:
- Strings: Any occurrence of a given string in an HTTP response marks the beginning of a rule hit.
- Regular Expressions: Any substring of a HTTP response that matches a specified regular expression marks the beginning of a
rule hit.
- Offset Calculations: HTTP responses are run through the Offset Calculation to determine the beginning of a rule hit. Offset
Calculation is explained in section “Offset, Length”.
Right boundaries can be defined in four ways:
- Strings: The next occurrence of a given string after the left boundary position marks the end of the rule hit.
- Regular Expressions: The next sub string of the HTTP response matching the given regular expression after the left boundary
position marks the end of the rule hit.
- Length: The end of a rule hit is determined by running part of an HTTP response (from the beginning of the rule hit through
to the end of the response) through a Length Calculation. Length Calculation is explained in Section “Offset, Length”.
- Character type: The next character that matches a given set of character types marks the end of the rule hit.
Applying regular expressions
If a rule defines a regular expression, any substring of an HTTP response that matches that regular expression yields a rule
hit. By default, the entire match is the rule hit. Alternately, the rule can define a tag number so that the tagged subexpression
is the rule hit.