New classification expressions "contains"
name: Feature request
about: New classification expressions "contains"
Sometimes I find the need to classify a DHCP client based on a string of byte-sequence in the DHCP request, but the string or byte-sequence might vary in position inside the packet (option) data (based on version of the client product).
A new classification expression that will search a sub-string or byte-sequence inside packet data and reporting the boolean value based on the existence of this sub-string or byte-sequence would be helpful.
Proposed example:
"client-classes": [
{ "name": "foo",
"test": "contains(substring(option[60].hex,0,3),'bar','i')",
"option-data": [{
"name": "domain-name", "data": "bar.example.com" }]
},
{ "name": "baz",
"test": "contains(hexstring(option[55].hex),'01:79:03','')",
"option-data": [{
"name": "domain-name", "data": "quux.example.com" }]
},
Proposed syntax format
contains('base-string','search-string','options')
where 'options' modify the search, e.g. using 'i' for case-insensitive search