We have a mechanism that may help – flowvars – but I don’t think that will allow the comparison logic to work the way you’d like.
I did check into those, and I agree, they don’t quite meet the use case.
That said, we could make a change to
byte_extract
to extract “byte buffers” with restrictions to prevent the value from being used in places where a numeric value is expected.
I’m all for it!
I found additional examples oft his scattered in the ET ruleset. One of the more common ones was used within Phishing sigs and utilized PCRE capture groups on the http.header buffer to compare the host extracted from the referer header and compares it to the host header
I’ll get a feature submitted.