http_client_body
Sets the detection cursor to the body of an HTTP request.
When an HTTP message does not specify an HTTP header, Snort normalizes
http_client_body
using URI normalization.
URI normalization is typically applied to http_header
.
Syntax: http_client_body;
Examples: http_client_body;
http_cookie
Sets the detection cursor to the extracted HTTP Cookie
header field.
The http_cookie
rule option includes the parameters:
http_cookie.request
, http_cookie.with_header
,
http_cookie.with_body
, and http_cookie.with_trailer
.
Syntax: http_cookie: <parameter>, <parameter>
Examples: http_cookie: request;
http_cookie.request
Matches the HTTP cookie found in the HTTP request message. Use the HTTP request cookie when examining
the HTTP response. The http_cookie.request
parameter is optional.
Syntax:
http_cookie: request;
Examples: http_cookie: request;
http_cookie.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_cookie.with_header
parameter is optional.
Syntax:
http_cookie: with_header;
Examples: http_cookie: with_header;
http_cookie.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_cookie
rule option.
The http_cookie.with_body
parameter is optional.
Syntax:
http_cookie: with_body;
Examples: http_cookie: with_body;
http_cookie.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_cookie
rule option.
The http_cookie.with_trailer
parameter is optional.
Syntax:
http_cookie: with_trailer;
Examples: http_cookie: with_trailer;
http_header
Sets the detection cursor to the normalized HTTP headers.
You can specify individual header names using the field
option.
The http_header
rule option includes the parameters:
http_header.field
, http_header.request
,
http_header.with_header
, http_header.with_body
,
and http_header.with_trailer
.
Syntax: http_header: field <field_name>,<parameter>, <parameter>
Examples: http_header: field Content-Type, with_trailer;
http_header.field
Matches the specified header name to the normalized HTTP headers.
The header name is case insensitive. If you do not specify a header name, the HTTP inspector
examines all headers except the HTTP cookie headers (Cookie
and Set-Cookie
).
Type: string
Syntax: http_header: field <field_name>;
Valid values: An HTTP header name.
Examples: http_header: field Content-Type;
http_header.request
Matches the headers found in the HTTP request. Use the HTTP request headers when examining
the HTTP response. The http_header.request
parameter is optional.
Syntax: http_header: request;
Examples: http_header: request;
http_header.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_header.with_header
parameter is optional.
Syntax: http_header: with_header;
Examples: http_header: with_header;
http_header.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_header
rule option.
The http_header.with_body
parameter is optional.
Syntax: http_header: with_body;
Examples: http_header: with_body;
http_header.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_header
rule option.
The http_header.with_trailer
parameter is optional.
Syntax: http_header: with_trailer;
Examples: http_header: with_trailer;
http_method
Sets the detection cursor to the method of the HTTP request. The common HTTP request method values
are GET
, POST
, OPTIONS
, HEAD
,
DELETE
, PUT
, TRACE
, and CONNECT
.
The http_method
rule option includes the parameters:
http_method.with_header
, http_method.with_body
,
and http_method.with_trailer
.
Syntax: http_method: <parameter>, <parameter>;
Examples: http_method; content:"GET";
http_method.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_method.with_header
parameter is optional.
Syntax: http_method: with_header;
Examples: http_method: with_header;
http_method.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_header
rule option.
The http_method.with_body
parameter is optional.
Syntax: http_method: with_body;
Examples: http_method: with_body;
http_method.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_header
rule option.
The http_method.with_trailer
parameter is optional.
Syntax:
http_method: with_trailer;
Examples: http_method: with_trailer;
http_param
Sets the detection cursor to the specified HTTP parameter key. The HTTP parameter key may appear
in the query or request body.
The http_param
rule option includes the parameters:
http_param.param
and http_method.nocase
.
Syntax: http_param: <parameter_key>, nocase;
Examples: http_param: offset, nocase;
http_param.param
Matches the specified parameter.
Type: string
Syntax:
http_param: <http_parameter>;
Valid values: A request query parameter or request body field.
Examples: http_param: offset;
http_param.nocase
Match the specified parameter, but do not consider case.
The http_param.nocase
parameter is optional.
Syntax: http_param: nocase;
Examples: http_param: nocase;
http_raw_body
Sets the detection cursor to the unnormalized request or response message body.
Syntax: http_raw_body;
Examples: http_raw_body;
http_raw_cookie
Sets the detection cursor to the unnormalized HTTP Cookie
header.
The http_raw_cookie
rule option includes the parameters:
http_raw_cookie.request
, http_raw_cookie.with_header
,
http_raw_cookie.with_body
, and http_raw_cookie.with_trailer
.
Syntax: http_raw_cookie: <parameter>, <parameter>;
Examples: http_raw_cookie: request;
http_raw_cookie.request
Matches the cookie found in the HTTP request. Use the HTTP request cookie when examining
the response message. The http_raw_cookie.request
parameter is optional.
Syntax: http_raw_cookie: request;
Examples: http_raw_cookie: request;
http_raw_cookie.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_raw_cookie.with_header
parameter
is optional.
Syntax: http_raw_cookie: with_header;
Examples: http_raw_cookie: with_header;
http_raw_cookie.with_body
Specifies that another part of the rule examines the HTTP message body,
not the http_raw_cookie
rule option.
The http_raw_cookie.with_body
parameter is optional.
Syntax: http_raw_cookie: with_body;
Examples: http_raw_cookie: with_body;
http_raw_cookie.with_trailer
Specifies that another part of the rule examines the HTTP message trailers,
not the http_raw_cookie
rule option.
The http_raw_cookie.with_trailer
parameter
is optional.
Syntax: http_raw_cookie: with_trailer;
Examples: http_raw_cookie: with_trailer;
http_raw_header
Sets the detection cursor to the unnormalized headers. http_raw_header
includes all
of the unmodified header names and values in the original message.
The http_raw_header
rule option includes the parameters:
http_raw_header.field
, http_raw_header.request
,
http_raw_header.with_header
, http_raw_header.with_body
,
and http_raw_header.with_trailer
.
Syntax: http_raw_header: field <field_name>, <parameter>, <parameter>;
Examples: http_raw_header: field Content-Type, with_trailer;
http_raw_header.field
Matches the specified header name to the unnormalized HTTP headers.
The header name is case insensitive. If you do not specify a header name, the HTTP inspector
examines all headers except the HTTP cookie headers (Cookie and Set-Cookie).
Type: string
Syntax: http_raw_header: field <field_name>
Valid values: An HTTP header name.
Examples: http_raw_header: field Content-Type;
http_raw_header.request
Matches the headers found in the HTTP request message. Use the HTTP request headers when examining
the response message. The http_raw_header.request
parameter is optional.
Syntax:
http_raw_header: request;
Examples: http_raw_header: request;
http_raw_header.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_raw_header.with_header
parameter
is optional.
Syntax:
http_raw_header: with_header;
Examples: http_raw_header: with_header;
http_raw_header.with_body
Specifies that another part of the rule examines the HTTP message body,
not the http_raw_header
rule option.
The http_raw_header.with_body
parameter is optional.
Syntax:
http_raw_header: with_body;
Examples: http_raw_header: with_body;
http_raw_header.with_trailer
Specifies that another part of the rule examines the HTTP message trailers,
not the http_raw_header
rule option.
The http_raw_header.with_trailer
parameter is optional.
Syntax:
http_raw_header: with_trailer;
Examples: http_raw_header: with_trailer;
http_raw_request
Sets the detection cursor to the unnormalized request line. To examine a specific part
of the first header line, use one of the following rule options:
http_method
, http_raw_uri
, or http_version
.
The http_raw_request
rule option includes the parameters:
http_raw_request.with_header
, http_raw_request.with_body
,
and http_raw_request.with_trailer
.
Syntax: http_raw_request: <parameter>, <parameter>;
Examples: http_raw_request: with_header;
http_raw_request.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_raw_request.with_header
parameter is optional.
Syntax: http_raw_request: with_header;
Examples: http_raw_request: with_header;
http_raw_request.with_body
Specifies that another part of the rule examines the HTTP message
body, not the http_raw_request
rule option.
The http_raw_request.with_body
parameter is optional.
Syntax: http_raw_request: with_body;
Examples: http_raw_request: with_body;
http_raw_request.with_trailer
Specifies that another part of the rule examines the HTTP message
trailers, not the http_raw_request
rule option.
The http_raw_request.with_trailer
parameter is optional.
Syntax: http_raw_request: with_trailer;
Examples: http_raw_request: with_trailer;
http_raw_status
Sets the detection cursor to the unnormalized status line.
To examine a specific part of the status line, use one of the following rule options:
http_version
, http_stat_code
, or http_stat_msg
.
The http_raw_status
rule option includes the parameters:
http_raw_status.with_body
and http_raw_status.with_trailer
.
Syntax: http_raw_status: <parameter>, <parameter>;
Examples: http_raw_status: with_body;
http_raw_status.with_body
Specifies that another part of the rule examines the HTTP message
body, not the http_raw_status
rule option.
The http_raw_status.with_body
parameter is optional.
Syntax: http_raw_status: with_body;
Examples: http_raw_status: with_body;
http_raw_status.with_trailer
Specifies that another part of the rule examines the HTTP message
trailers, not the http_raw_status
rule option.
The http_raw_status.with_trailer
parameter is optional.
Syntax:
http_raw_status: with_trailer;
Examples: http_raw_status: with_trailer;
http_raw_trailer
Sets the detection cursor to the unnormalized HTTP trailers. Trailers contain information about the message content.
The trailers are not available when the client request creates HTTP headers.
http_raw_trailer
is identical to http_raw_header
,
except that it applies to the end headers. You must create separate rules to inspect
the HTTP headers and trailers.
The http_raw_trailer
rule option includes the parameters:
http_raw_trailer.field
, http_raw_trailer.request
,
http_raw_trailer.with_header
, http_raw_trailer.with_body
.
Syntax: http_raw_trailer: field <field_name>, <parameter>, <parameter>;
Examples: http_raw_trailer: field <field_name>, request;
http_raw_trailer.field
Matches the specified trailer name to the unnormalized HTTP trailers.
The trailer name is case insensitive.
Type: string
Syntax: http_raw_trailer: field <field_name>;
Valid values: An HTTP trailer name.
Examples: http_raw_trailer: field trailer-timestamp;
http_raw_trailer.request
Matches the trailers found in the HTTP request message. Use the HTTP request trailers when examining
the response message. The http_raw_trailer.request
parameter is optional.
Syntax: http_raw_trailer: request;
Examples: http_raw_trailer: request;
http_raw_trailer.with_header
Specifies that the rule can only examine the HTTP response headers.
The http_raw_trailer.with_header
parameter is optional.
Syntax: http_raw_trailer: with_header;
Examples: http_raw_trailer: with_header;
http_raw_trailer.with_body
Specifies that another part of the rule examines the HTTP response
message body, not the http_raw_trailer
rule option.
The http_raw_trailer.with_body
parameter is optional.
Syntax: http_raw_trailer: with_body;
Examples: http_raw_trailer: with_body;
http_raw_uri
Sets the detection cursor to the unnormalized URI.
The http_raw_uri
rule option includes:
Syntax: http_raw_uri: <parameter>, <parameter>;
Examples: http_raw_uri: with_header, path, query;
http_raw_uri.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_raw_uri.with_header
parameter is optional.
Syntax: http_raw_uri: with_header;
Examples: http_raw_uri: with_header;
http_raw_uri.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_raw_uri
rule option.
The http_raw_uri.with_body
parameter is optional.
Syntax: http_raw_uri: with_body;
Examples: http_raw_uri: with_body;
http_raw_uri.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_raw_uri
rule option.
The http_raw_uri.with_trailer
parameter is optional.
Syntax: http_raw_uri: with_trailer;
Examples: http_raw_uri: with_trailer;
http_raw_uri.scheme
Matches only against the scheme of the URI.
The http_raw_uri.scheme
parameter is optional.
Syntax: http_raw_uri: scheme;
Examples: http_raw_uri: scheme;
http_raw_uri.host
Matches only against the host (domain name) of the URI.
The http_raw_uri.host
parameter is optional.
Syntax: http_raw_uri: host;
Examples: http_raw_uri: host;
http_raw_uri.port
Matches only against the port (TCP port) of the URI.
The http_raw_uri.port
parameter is optional.
Syntax: http_raw_uri: port;
Examples: http_raw_uri: port;
http_raw_uri.path
Matches only against the path section (directory and file) of the URI.
The http_raw_uri.path
parameter is optional.
Syntax: http_raw_uri: path;
Examples: http_raw_uri: path;
http_raw_uri.query
Matches only against the query parameters in the URI.
The http_raw_uri.query
parameter is optional.
Syntax: http_raw_uri: query;
Examples: http_raw_uri: query;
http_raw_uri.fragment
Matches only against the fragment section of the URI.
A fragment is part of the file requested, normally found only inside a browser
and not transmitted over the network. The http_raw_uri.fragment
parameter
is optional.
Syntax: http_raw_uri: fragment;
Examples: http_raw_uri: fragment;
http_stat_code
Sets the detection cursor to the HTTP status code. The HTTP status code is a three-digit number
ranging between 100 – 599.
The http_stat_code
rule option includes the parameters:
http_stat_code.with_body
and http_stat_code.with_trailer
.
Syntax: http_stat_code: <parameter>, <parameter>;
Examples: http_stat_code: with_trailer;
http_stat_code.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_stat_code
rule option.
The http_stat_code.with_body
parameter is optional.
Syntax: http_stat_code: with_body;
Examples: http_stat_code: with_body;
http_stat_code.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_stat_code
rule option.
The http_stat_code.with_trailer
parameter is optional.
Syntax: http_stat_code: with_trailer;
Examples: http_stat_code: with_trailer;
http_stat_msg
Sets the detection cursor to the HTTP status message. The HTTP status message describes
the HTTP status code in plain text, for example: OK
.
The http_stat_msg
rule option includes the parameters:
http_stat_msg.with_body
and http_stat_msg.with_trailer
.
Syntax: http_stat_msg: <parameter>, <parameter>;
Examples: http_stat_msg: with_body;
http_stat_msg.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_stat_msg
rule option.
The http_stat_msg.with_body
parameter is optional.
Syntax:
http_stat_msg: with_body;
Examples: http_stat_msg: with_body;
http_stat_msg.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_stat_msg
rule option.
The http_stat_msg.with_trailer
parameter is optional.
Syntax:
http_stat_msg: with_trailer;
Examples: http_stat_msg: with_trailer;
http_trailer
Sets the detection cursor to the normalized trailers. Trailers contain information about the message content.
The trailers are not available when the client request creates HTTP headers.
http_trailer
is identical to http_header
,
except that it applies to the end headers. You must create separate rules to inspect
the HTTP headers and trailers.
The http_trailer
rule option includes the parameters:
http_trailer.field
, http_trailer.request
,
http_trailer.with_header
, http_trailer.with_body
.
Syntax: http_trailer: field <field_name>, <parameter>, <parameter>;
Examples: http_trailer: field trailer-timestamp, with_body;
http_trailer.field
Matches the specified trailer name to the normalized HTTP trailers.
The trailer name is case insensitive.
Type: string
Syntax: http_trailer: field <field_name>;
Valid values: An HTTP trailer name.
Examples: http_trailer: field trailer-timestamp;
http_trailer.request
Matches the trailers found in the HTTP request message. Use the HTTP request trailers when examining
the response message. The http_trailer.request
parameter is optional.
Syntax: http_trailer: request;
Examples: http_trailer: request;
http_trailer.with_header
Specifies that another part of the rule examines the HTTP
message headers, not the http_trailer
rule option.
The http_trailer.with_header
parameter is optional.
Syntax: http_trailer: with_header;
Examples: http_trailer: with_header;
http_trailer.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_trailer
rule option.
The http_trailer.with_body
parameter is optional.
Syntax: http_trailer: with_body;
Examples: http_trailer: with_body;
http_true_ip
Sets the detection cursor to the final client IP address.
When a client sends a request, the proxy server stores the final client IP address.
A client IP address is the last IP address listed in the X-Forwarded-For
,
True-Client-IP
, or any other custom X-Forwarded-For
type header.
If multiple headers are present, Snort considers the headers defined in xff_headers
.
The http_true_ip
rule option includes the parameters:
http_true_ip.with_header
, http_true_ip.with_body
, and
http_true_ip.with_trailer
.
Syntax: http_true_ip: <parameter>, <parameter>;
Examples: http_true_ip: with_header;
http_true_ip.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_true_ip.with_header
parameter is optional.
Syntax: http_true_ip: with_header;
Examples: http_true_ip: with_header;
http_true_ip.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_true_ip
rule option.
The http_true_ip.with_body
parameter is optional.
Syntax: http_true_ip: with_body;
Examples: http_true_ip: with_body;
http_true_ip.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_true_ip
rule option.
The http_true_ip.with_trailer
parameter is optional.
Syntax: http_true_ip: with_trailer;
Examples: http_true_ip: with_trailer;
http_uri
Sets the detection cursor to the normalized URI buffer.
-
http_uri.with_header
-
http_uri.with_body
-
http_uri.with_trailer
-
http_uri.scheme
-
http_uri.host
-
http_uri.port
-
http_uri.path
-
http_uri.query
-
http_uri.fragment
Syntax: http_uri: <parameter>, <parameter>;
Examples: http_uri: with_trailer, path, query;
http_uri.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_uri.with_header
parameter is optional.
Syntax: http_uri: with_header;
Examples: http_uri: with_header;
http_uri.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_uri
rule option.
The http_uri.with_body
parameter is optional.
Syntax: http_uri: with_body;
Examples: http_uri: with_body;
http_uri.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_uri
rule option.
The http_uri.with_trailer
parameter is optional.
Syntax: http_uri: with_trailer;
Examples: http_uri: with_trailer;
http_uri.scheme
Matches only against the scheme of the URI.
The http_uri.scheme
parameter is optional.
Syntax: http_uri: scheme;
Examples: http_uri: scheme;
http_uri.host
Matches only against the host (domain name) of the URI.
The http_uri.host
parameter is optional.
Syntax: http_uri: host;
Examples: http_uri: host;
http_uri.port
Matches only against the port (TCP port) of the URI.
The http_uri.port
parameter is optional.
Syntax:
http_uri: port;
Examples: http_uri: port;
http_uri.path
Matches only against the path (directory and file) of the URI.
The http_uri.path
parameter is optional.
Syntax: http_uri: path;
Examples: http_uri: path;
http_uri.query
Matches only against the query parameters in the URI.
The http_uri.query
parameter is optional.
Syntax: http_uri: uri;
Examples: http_uri: query;
http_uri.fragment
Matches only against the fragment section of the URI.
A fragment is part of the file requested, normally found only inside
a browser and not transmitted over the network.
The http_uri.fragment
parameter is optional.
Syntax: http_uri: fragment;
Examples: http_uri: fragment;
http_version
Sets the detection cursor to the beginning of the HTTP version buffer. http_version
accepts various HTTP versions. The most commonly found versions are:
HTTP/1.0
and HTTP/1.1
.
The http_version
rule option includes the parameters:
http_version.request
, http_version.with_header
,
http_version.with_body
, and http_version.with_trailer
.
Syntax: http_version: <parameter>, <parameter>;
Examples: http_version; content:"HTTP/1.1";
http_version.request
Matches the version found in the HTTP request. Use the request version when examining
the response message. The http_version.request
parameter is optional.
Syntax: http_version: request;
Examples: http_version: request;
http_version.with_header
Specifies that the rule can only examine the HTTP message headers.
The http_version.with_header
parameter is optional.
Syntax: http_version: with_header;
Examples: http_version: with_header;
http_version.with_body
Specifies that another part of the rule examines the HTTP
message body, not the http_version
rule option.
The http_version.with_body
parameter is optional.
Syntax: http_version: with_body;
Examples: http_version: with_body;
http_version.with_trailer
Specifies that another part of the rule examines the HTTP
message trailers, not the http_version
rule option.
The http_version.with_trailer
parameter is optional.
Syntax: http_version: with_trailer;
Examples: http_version: with_trailer;
http_version_match
Specifies a list of HTTP versions to match against the standard HTTP versions.
Separate multiple versions with a space character.
An HTTP request or status line may contain a version. If the version is present, Snort compares this version
with the list specified in http_version_match
.
If the version doesn’t have a format of [0-9].[0-9]
it is considered malformed.
A version in the format of [0-9].[0-9]
that is not
1.0
or 1.1
is considered other
.
Type: string
Syntax: http_version_match: <version_list>
Valid values: 1.0, 1.1, 2.0, 0.9, other, malformed
Examples: http_version_match: "1.0 1.1";
js_data
Sets the detection cursor to the normalized JavaScript data. This option is specific to the enhanced JavaScript normalizer.
Syntax: js_data;
Examples: js_data;
vba_data
Sets the detection cursor to the Microsoft Office Visual Basic for Applications
macros buffer.
Syntax: vba_data;
Examples: vba_data;