HTTP Keywords
These keywords are specialized in matching specific parts of an HTTP flow.
All keywords can be used in combination with all content modifiers,
such as depth, distance, offset, nocase and within.
Note
All buffers are normalized but the raw keywords. Any trailing carriage return and new line characters are removed.
The following request keywords are available:
Keyword |
Type |
Direction |
|---|---|---|
http.uri |
Sticky Buffer |
Request |
http.uri.raw |
Sticky Buffer |
Request |
http.method |
Sticky Buffer |
Request |
http.request_line |
Sticky Buffer |
Request |
http.request_body |
Sticky Buffer |
Request |
http.header |
Sticky Buffer |
Both |
http.host |
Sticky Buffer |
Request |
http.host.raw |
Sticky Buffer |
Request |
http.user_agent |
Sticky Buffer |
Request |
http.accept |
Sticky Buffer |
Request |
http.accept_enc |
Sticky Buffer |
Request |
http.accept_lang |
Sticky Buffer |
Request |
http.cookie |
Sticky Buffer |
Both |
http.referer |
Sticky Buffer |
Request |
http.connection |
Sticky Buffer |
Request |
http.content_type |
Sticky Buffer |
Both |
http.protocol |
Sticky Buffer |
Both |
http.header_names |
Sticky Buffer |
Both |
The following response keywords are available:
Keyword |
Type |
Direction |
|---|---|---|
http.location |
Sticky Buffer |
Response |
http.stat_code |
Sticky Buffer |
Response |
http.stat_msg |
Sticky Buffer |
Response |
http.response_line |
Sticky Buffer |
Response |
http.response_body |
Sticky Buffer |
Response |
http.header |
Sticky Buffer |
Both |
http.cookie |
Sticky Buffer |
Both |
http.content_type |
Sticky Buffer |
Both |
http.protocol |
Sticky Buffer |
Both |
http.header_names |
Sticky Buffer |
Both |
http.host
Sticky buffer to match on the normalized HTTP host.
Normalization consists of truncating port information and converting all characters to be lowercase.
Patterns matching on this buffer should be all lowercase or have the nocase flag set,
although it is not strictly required.
Example:
alert http any any -> any any (http.host; content:"abc.com"; sid:1;)
http.host.raw
Sticky buffer to match on the raw HTTP host. This buffer might include port information.
Example:
alert http any any -> any any (http.host.raw; content:"AbC.com:80"; sid:1;)
http.method
Sticky buffer to match on the HTTP method. This buffer can match a maximum of 16 bytes.
Examples of methods are: GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.
http.uri and http.uri.raw
Sticky buffers to match on the raw HTTP request URI.
Currently, http.uri and http.uri.raw are synonyms. No normalization is performed for http.uri.
urilen
The urilen keyword is used to match on the length of the request
URI. The < (less than) and > (greater than) operators can be used.
Possible formats of urilen are:
urilen:1;
urilen:>1;
urilen:<10;
urilen:10<>20; (greater than 10, less than 20)
Example of urilen in a signature:
alert tcp any any -> any any (classtype:misc-attack; \
http.uri; content:\"placeholder\"; urilen:11<>13, raw; sid:1;)
You can also append norm or raw to define if you want to use normalized or raw buffers.
Note
Inspection of the normalized buffer (via norm) is currently not supported.
http.protocol
Sticky buffer to match on the HTTP protocol field from the HTTP request or response line. If the request line is ‘GET / HTTP/1.0rn’, then this buffer will contain ‘HTTP/1.0’.
Example:
alert http any any -> any any (http.protocol; content:"HTTP/1.0"; sid:1;)
http.request_line
Sticky buffer to match on the whole HTTP request line. Assuming the request line is ‘GET / HTTP/1.1rn’, then this buffer will contain ‘GET / HTTP/1.1’.
Example:
alert http any any -> any any (http.request_line; content:"GET / HTTP/1.1"; sid:1;)
http.header
Sticky buffer to match on the whole HTTP header.
Example:
alert http any any -> any any (http.header; content:"Sun, 03 May 2015 23:02:37 GMT"; sid:1;)
Note
The http.header.raw keyword is not supported.
http.user_agent
Sticky buffer to match on the HTTP user agent in a HTTP request.
Example:
alert http any any -> any any (http.user_agent; content:"Bittorrent"; sid:1;)
http.accept
Sticky buffer to match on the HTTP accept header.
Example:
alert http any any -> any any (http.accept; content:"image/gif"; sid:1;)
http.accept_enc
Sticky buffer to match on the HTTP accept encoding header.
Example:
alert http any any -> any any (http.accept_enc; content:"gzip"; sid:1;)
http.accept_lang
Sticky buffer to match on the HTTP accept language header.
Example:
alert http any any -> any any (http.accept_lang; content:"en-us"; sid:1;)
http.connection
Sticky buffer to match on the HTTP connection header.
Example:
alert http any any -> any any (http.connection; content:"keep-alive"; sid:1;)
http.content_type
Sticky buffer to match on the HTTP content type header.
Example:
alert http any any -> any any (http.content_type; content:"x-www-form-urlencoded"; sid:1;)
http.referer
Sticky buffer to match on the HTTP referer header.
Example:
alert http any any -> any any (http.referer; content:".php"; sid:1;)
http.header_names
Sticky buffer to match on an artificial buffer containing only the names of all seen HTTP headers.
Example buffer:
\\r\\nHost\\r\\n\\r\\n
Example rule:
alert http any any -> any any (http.header_names; content:"|0d 0a|Host|0d 0a|"; sid:1;)
Example to make sure only Host is present:
alert http any any -> any any (http.header_names; \
content:"|0d 0a|Host|0d 0a 0d 0a|"; sid:1;)
Example to make sure User-Agent is directly after Host:
alert http any any -> any any (http.header_names; \
content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|"; sid:1;)
Example to make sure User-Agent is after Host, but not necessarily directly after:
alert http any any -> any any (http.header_names; \
content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \
distance:-2; sid:1;)
http.request_body
Sticky buffer to match on the HTTP request body.
Note
The older http_client_body modifier keyword is deprecated and should no longer be used.
http.stat_msg
Sticky buffer to match on the HTTP status message.
http.stat_code
Sticky buffer to match on the HTTP status code. This buffer can match a maximum of 16 bytes.
Example:
alert http any any -> any any (http.stat_code; content:"200"; sid:1;)
http.response_line
Sticky buffer to match on the HTTP response line.
Example:
alert http any any -> any any (http.response_line; content:"HTTP/1.0 200 OK"; sid:1;)
http.response_body
Sticky buffer to match on the HTTP response body.
Example:
alert http any any -> any any (http.response_body; content:"|0A 0B|</span>"; sid:1;)
Note
http.response_bodymatches on deflated data just likefile_datadoes.The older
http_server_bodymodifier keyword is deprecated and should no longer be used.
http.location
Sticky buffer to match on the HTTP location headers.
Example:
alert http any any -> any any (http.location; content:"http://www.genua.de"; sid:1;)
file_data
Synonym for http.response_body.
file.data
Synonym for file_data.