Introduction

Rule hits can be extracted from HTTP responses in two ways:
  • by defining boundaries
  • by applying a regular expression

Defining boundaries

When a rule defines boundaries, any occurrence of a left boundary within an HTTP response marks the beginning of a rule hit. From this point onward within the HTTP response, the first occurrence of a right boundary marks the end of the rule hit.

Left boundaries can be defined in three ways:
  • Strings: Any occurrence of a given string in an HTTP response marks the beginning of a rule hit.
  • Regular Expressions: Any substring of a HTTP response that matches a specified regular expression marks the beginning of a rule hit.
  • Offset Calculations: HTTP responses are run through the Offset Calculation to determine the beginning of a rule hit. Offset Calculation is explained in section “Offset, Length”.
Right boundaries can be defined in four ways:
  • Strings: The next occurrence of a given string after the left boundary position marks the end of the rule hit.
  • Regular Expressions: The next sub string of the HTTP response matching the given regular expression after the left boundary position marks the end of the rule hit.
  • Length: The end of a rule hit is determined by running part of an HTTP response (from the beginning of the rule hit through to the end of the response) through a Length Calculation. Length Calculation is explained in Section “Offset, Length”.
  • Character type: The next character that matches a given set of character types marks the end of the rule hit.

Applying regular expressions

If a rule defines a regular expression, any substring of an HTTP response that matches that regular expression yields a rule hit. By default, the entire match is the rule hit. Alternately, the rule can define a tag number so that the tagged subexpression is the rule hit.