HTTP Keywords
These keywords are specialized in matching specific parts of an HTTP flow.
All keywords can be used in combination with all content modifiers,
such as depth
, distance
, offset
, nocase
and within
.
Note
All buffers are normalized but the raw keywords. Any trailing carriage return and new line characters are removed.
The following request keywords are available:
Keyword |
Type |
Direction |
---|---|---|
http.uri |
Sticky Buffer |
Request |
http.uri.raw |
Sticky Buffer |
Request |
http.method |
Sticky Buffer |
Request |
http.request_line |
Sticky Buffer |
Request |
http.request_body |
Sticky Buffer |
Request |
http.header |
Sticky Buffer |
Both |
http.host |
Sticky Buffer |
Request |
http.host.raw |
Sticky Buffer |
Request |
http.user_agent |
Sticky Buffer |
Request |
http.accept |
Sticky Buffer |
Request |
http.accept_enc |
Sticky Buffer |
Request |
http.accept_lang |
Sticky Buffer |
Request |
http.cookie |
Sticky Buffer |
Both |
http.referer |
Sticky Buffer |
Request |
http.connection |
Sticky Buffer |
Request |
http.content_type |
Sticky Buffer |
Both |
http.protocol |
Sticky Buffer |
Both |
http.header_names |
Sticky Buffer |
Both |
The following response keywords are available:
Keyword |
Type |
Direction |
---|---|---|
http.location |
Sticky Buffer |
Response |
http.stat_code |
Sticky Buffer |
Response |
http.stat_msg |
Sticky Buffer |
Response |
http.response_line |
Sticky Buffer |
Response |
http.response_body |
Sticky Buffer |
Response |
http.header |
Sticky Buffer |
Both |
http.cookie |
Sticky Buffer |
Both |
http.content_type |
Sticky Buffer |
Both |
http.protocol |
Sticky Buffer |
Both |
http.header_names |
Sticky Buffer |
Both |
http.host
Sticky buffer to match on the normalized HTTP host.
Normalization consists of truncating port information and converting all characters to be lowercase.
Patterns matching on this buffer should be all lowercase or have the nocase
flag set,
although it is not strictly required.
Example:
alert http any any -> any any (http.host; content:"abc.com"; sid:1;)
http.host.raw
Sticky buffer to match on the raw HTTP host. This buffer might include port information.
Example:
alert http any any -> any any (http.host.raw; content:"AbC.com:80"; sid:1;)
http.method
Sticky buffer to match on the HTTP method. This buffer can match a maximum of 16 bytes.
Examples of methods are: GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.
http.uri and http.uri.raw
Sticky buffers to match on the raw HTTP request URI.
Currently, http.uri
and http.uri.raw
are synonyms. No normalization is performed for http.uri
.
urilen
The urilen
keyword is used to match on the length of the request
URI. The <
(less than) and >
(greater than) operators can be used.
Possible formats of urilen
are:
urilen:1;
urilen:>1;
urilen:<10;
urilen:10<>20; (greater than 10, less than 20)
Example of urilen
in a signature:
alert tcp any any -> any any (classtype:misc-attack; \
http.uri; content:\"placeholder\"; urilen:11<>13, raw; sid:1;)
You can also append norm
or raw
to define if you want to use normalized or raw buffers.
Note
Inspection of the normalized buffer (via norm
) is currently not supported.
http.protocol
Sticky buffer to match on the HTTP protocol field from the HTTP request or response line. If the request line is ‘GET / HTTP/1.0rn’, then this buffer will contain ‘HTTP/1.0’.
Example:
alert http any any -> any any (http.protocol; content:"HTTP/1.0"; sid:1;)
http.request_line
Sticky buffer to match on the whole HTTP request line. Assuming the request line is ‘GET / HTTP/1.1rn’, then this buffer will contain ‘GET / HTTP/1.1’.
Example:
alert http any any -> any any (http.request_line; content:"GET / HTTP/1.1"; sid:1;)
http.header
Sticky buffer to match on the whole HTTP header.
Example:
alert http any any -> any any (http.header; content:"Sun, 03 May 2015 23:02:37 GMT"; sid:1;)
Note
The http.header.raw
keyword is not supported.
http.user_agent
Sticky buffer to match on the HTTP user agent in a HTTP request.
Example:
alert http any any -> any any (http.user_agent; content:"Bittorrent"; sid:1;)
http.accept
Sticky buffer to match on the HTTP accept header.
Example:
alert http any any -> any any (http.accept; content:"image/gif"; sid:1;)
http.accept_enc
Sticky buffer to match on the HTTP accept encoding header.
Example:
alert http any any -> any any (http.accept_enc; content:"gzip"; sid:1;)
http.accept_lang
Sticky buffer to match on the HTTP accept language header.
Example:
alert http any any -> any any (http.accept_lang; content:"en-us"; sid:1;)
http.connection
Sticky buffer to match on the HTTP connection header.
Example:
alert http any any -> any any (http.connection; content:"keep-alive"; sid:1;)
http.content_type
Sticky buffer to match on the HTTP content type header.
Example:
alert http any any -> any any (http.content_type; content:"x-www-form-urlencoded"; sid:1;)
http.referer
Sticky buffer to match on the HTTP referer header.
Example:
alert http any any -> any any (http.referer; content:".php"; sid:1;)
http.header_names
Sticky buffer to match on an artificial buffer containing only the names of all seen HTTP headers.
Example buffer:
\\r\\nHost\\r\\n\\r\\n
Example rule:
alert http any any -> any any (http.header_names; content:"|0d 0a|Host|0d 0a|"; sid:1;)
Example to make sure only Host is present:
alert http any any -> any any (http.header_names; \
content:"|0d 0a|Host|0d 0a 0d 0a|"; sid:1;)
Example to make sure User-Agent is directly after Host:
alert http any any -> any any (http.header_names; \
content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|"; sid:1;)
Example to make sure User-Agent is after Host, but not necessarily directly after:
alert http any any -> any any (http.header_names; \
content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \
distance:-2; sid:1;)
http.request_body
Sticky buffer to match on the HTTP request body.
Note
The older http_client_body
modifier keyword is deprecated and should no longer be used.
http.stat_msg
Sticky buffer to match on the HTTP status message.
http.stat_code
Sticky buffer to match on the HTTP status code. This buffer can match a maximum of 16 bytes.
Example:
alert http any any -> any any (http.stat_code; content:"200"; sid:1;)
http.response_line
Sticky buffer to match on the HTTP response line.
Example:
alert http any any -> any any (http.response_line; content:"HTTP/1.0 200 OK"; sid:1;)
http.response_body
Sticky buffer to match on the HTTP response body.
Example:
alert http any any -> any any (http.response_body; content:"|0A 0B|</span>"; sid:1;)
Note
http.response_body
matches on deflated data just likefile_data
does.The older
http_server_body
modifier keyword is deprecated and should no longer be used.
http.location
Sticky buffer to match on the HTTP location headers.
Example:
alert http any any -> any any (http.location; content:"http://www.genua.de"; sid:1;)
file_data
Synonym for http.response_body.
file.data
Synonym for file_data.