Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 115
Following is an example that evaluates to TRUE if a response body of 1024 bytes
contains the string “https”, and this string occurs after the string “start string” and
before the string “end string”:
http.res.body(1024).after_str("start_string").before_str("end_
string").contains("https")
Note: You can apply any text operation to the payload body . For information on
operations that you can apply to text, see “Advanced Expressions: Evaluating
Text,” on page 63.
Expressions for HTTP Headers
One common method of evaluating HTTP traffic is to examine the headers in a
request or a response. A header can perform a number of functions, including the
following:
Provide cookies that contain data about the sender.
Identify the type of data that is being transmitted.
Identify the route that the data has traveled (the Via header).
As noted in the section “About Evaluating HTTP and TCP Payload,” on page
114, the EXISTS operation identifies if a request or a response contains a
particular object. Following is a request-time example that determines if a
particular header type exists:
http.req.header("myHeader").exists
You can configure expressions to identify almost any data in a header, including
header types and values, and almost any type of information in a Cookie header.
Note: Note that if the same operation is used to evaluate header and text data,
the header-based operation always overrides any text-based operation.