Snort rules are best at evaluating a network packet's "payload" (e.g., the TCP or UDP data fields), and this chapter covers what are referred to as "payload detection" options. These options tell Snort what kind of packet data to look for, where to look for that data, and lastly how to look for said data.
A single Snort rule can contain multiple options, and those options are evaluated against the packet data in the order they are placed in the rule (except for certain fast_pattern matches).
When Snort receives network traffic and begins processing, it places the packet data into various "buffers" that rule writers can evaluate payload options against. Snort provides buffers for the raw packet data, normalized packet data, "file" data, individual HTTP elements, like http_header and http_uri, and more. Not all buffers will be available for a given packet, and so rule writers should use table at the end of this page to make sure they are using the appropriate one(s).
As Snort evaluates payload options against a given buffer, it keeps track of its current location there with a detection-offset-end (DOE) pointer (also sometimes referred to as a cursor). By default, this pointer points to the start of the current buffer, but some rule options will "move" this pointer forward and backwards, which allow for the use of relative payload options.
By default, rule options are evaulated against data present in the pkt_data buffer. Looking for data in one of the other buffers is done by using what are called "sticky buffers", which are rule options that, when set, move the DOE pointer to the start of that particular buffer. Then, all subsequent payload options will be looked for in that buffer unless some other sticky buffer is specified.
One of those sticky buffers, for example, is http_uri, which contains the URI portion of an HTTP request. Setting this buffer and looking for data there might be done like so:
Note: Depending on one's Snort configuration, Snort will place certain payload data—such as HTTP-specific elements—only in their respective buffers. This means, for example, that trying to look for HTTP request elements in the default, normalized packet data buffer will result in a detection failure.
This section breaks down each of those rule payload options to explain how they are used and how they work, starting with the content option.
file_data is a sticky buffer declaration that sets the detection cursor to either the HTTP response body for HTTP traffic or file data sent via other application protocols that has been processed and captured by Snort's "file API"