HTTP Keywords

These keywords are specialized in matching specific parts of an HTTP flow.

All keywords can be used in combination with all content modifiers, such as depth, distance, offset, nocase and within.

Note

All buffers are normalized but the raw keywords. Any trailing carriage return and new line characters are removed.

The following request keywords are available:

Keyword

Type

Direction

http_uri

Modifier

Request

http_raw_uri

Modifier

Request

http_method

Modifier

Request

http_request_line

Sticky Buffer

Request

http_client_body

Modifier

Request

http_header

Modifier

Both

http_cookie

Modifier

Both

http_user_agent

Modifier

Request

http_accept

Sticky Buffer

Request

http_accept_lang

Sticky Buffer

Request

http_accept_enc

Sticky Buffer

Request

http_referer

Sticky Buffer

Request

http_connection

Sticky Buffer

Request

http_content_type

Sticky Buffer

Both

http_content_len

Sticky Buffer

Both

http_protocol

Sticky Buffer

Both

http_header_names

Sticky Buffer

Both

The following response keywords are available:

Keyword

Type

Direction

http_stat_msg

Modifier

Response

http_response_line

Sticky Buffer

Response

http_header

Modifier

Both

http_cookie

Modifier

Both

http_server_body

Modifier

Response

http_content_type

Sticky Buffer

Both

http_content_len

Sticky Buffer

Both

http_protocol

Sticky Buffer

Both

http_header_names

Sticky Buffer

Both

http_method

With the http_method content modifier, it is possible to match specifically and only on the HTTP method.

Examples of methods are: GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.

http_uri and http_raw_uri

Currently, http_uri and the http_raw_uri content modifiers are synonyms. They both match on the raw request URI.

urilen

The urilen keyword is used to match on the length of the request URI. The < (less than) and > (greater than) operators can be used.

Possible formats of urilen are:

urilen:1;
urilen:>1;
urilen:<10;
urilen:10<>20;        (greater than 10, less than 20)

Example of urilen in a signature:

alert tcp any any -> any any (classtype:misc-attack; \
content:\"placeholder\"; http_uri; urilen:11<>13, raw; sid:1;)

You can also append norm or raw to define if you want to use normalized or raw buffers.

http_protocol

The http_protocol inspects the protocol field from the HTTP request or response line. If the request line is ‘GET / HTTP/1.0rn’, then this buffer will contain ‘HTTP/1.0’.

Example:

alert http any any -> any any (http_protocol; content:"HTTP/1.0"; sid:1;)

http_request_line

The http_request_line forces the whole HTTP request line to be inspected. Assuming the request line is ‘GET / HTTP/1.1rn’, then this buffer will contain ‘GET / HTTP/1.1’.

Example:

alert http any any -> any any (http_request_line; content:"GET / HTTP/1.1"; sid:1;)

http_header

With the http_header content modifier, it is possible to match specifically and only on the HTTP header buffer.

Example:

alert http any any -> any any (content:"Sun, 03 May 2015 23:02:37 GMT"; http_header; sid:1;)

Note

The http_raw_header keyword is not supported.

http_user_agent

The http_user_agent keyword allows to only match on contents of a user agent header in an HTTP request.

Example:

alert http any any -> any any (content:"Bittorrent"; http_user_agent; sid:1;)

Note

The pcre keyword can also inspect this buffer when using the V modifier.

http_accept

Sticky buffer to match on the HTTP accept header.

Example:

alert http any any -> any any (http_accept; content:"image/gif"; sid:1;)

http_accept_enc

Sticky buffer to match on the HTTP accept encoding header.

Example:

alert http any any -> any any (http_accept_enc; content:"gzip"; sid:1;)

http_accept_lang

Sticky buffer to match on the HTTP accept language header.

Example:

alert http any any -> any any (http_accept_lang; content:"en-us"; sid:1;)

http_connection

Sticky buffer to match on the HTTP connection header.

Example:

alert http any any -> any any (http_connection; content:"keep-alive"; sid:1;)

http_content_type

Sticky buffer to match on the HTTP content type headers.

Examples:

alert http any any -> any any (http_content_type; content:"x-www-form-urlencoded"; sid:1;)

http_content_len

Sticky buffer to match on the HTTP content length headers.

Examples:

alert http any any -> any any (http_content_len; content:"123"; sid:1;)

http_referer

Sticky buffer to match on the HTTP referer header.

Example:

alert http any any -> any any (http_referer; content:".php"; sid:1;)

http_header_names

Match on a buffer only containing all HTTP header names.

Example buffer:

\\r\\nHost\\r\\n\\r\\n

Example rule:

alert http any any -> any any (http_header_names; content:"|0d 0a|Host|0d 0a|"; sid:1;)

Example to make sure only Host is present:

alert http any any -> any any (http_header_names; \
        content:"|0d 0a|Host|0d 0a 0d 0a|"; sid:1;)

Example to make sure User-Agent is directly after Host:

alert http any any -> any any (http_header_names; \
        content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|"; sid:1;)

Example to make sure User-Agent is after Host, but not necessarily directly after:

alert http any any -> any any (http_header_names; \
        content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \
        distance:-2; sid:1;)

http_client_body

The http_client_body keyword allows to match only on the HTTP request body.

http_stat_msg

The http_stat_msg keyword allows to match only on the HTTP status message.

http_response_line

The http_response_line keyword forces the whole HTTP response line to be inspected.

Example:

alert http any any -> any any (http_response_line; content:"HTTP/1.0 200 OK"; sid:1;)

http_server_body

The http_server_body keyword allows to match only on the HTTP request body.

Example:

alert http any any -> any any (http_server_body; content:"|0A 0B|</span>"; sid:1;)

Note

  • http_server_body matches on deflated data just like file_data does.

  • Corresponding PCRE modifier: Q

http.location

Sticky buffer to match on the HTTP location headers.

Example:

alert http any any -> any any (http.location; content:"http://www.genua.de"; sid:1;)

file_data

file_data matches content present in an HTTP response body.