NimbostratusA lot late to the party, but I needed to do the same.
I noticed one thing, the total header size calculation is slightly wrong. It only counts the total for the header values, but doesn't include the header names themselves.
For instance, the header “Connection: keep-alive”, it was only counting the string length of "keep-alive" it was counting that as 10 bytes and not the correct 22 bytes for that actual line of header, if you have a lot of header with long names and short values it can throw your count by a reasonable amount.
You need to add together the string length of the header name, the string length of the header value, plus 2 (this account for the ": " between the header name and value.
In our case we have upped the max header value to 64k, and we're using this to work out what the actual maximum is.
So to remedy:
when RULE_INIT {
set static::Header_Alert_Size 32768
}
when HTTP_REQUEST {
set header_total 0
foreach header [HTTP::header names] {
incr header_total [string length $header]
incr header_total 2
incr header_total [string length [HTTP::header value $header]]
}
if { ($header_total > $static::Header_Alert_Size) } {
set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
log local0. "$LogString - Header Total $header_total bytes"
}
}