HTTP Specific Options

Snort operates with a bevy of "service inspectors" that can identify specific TCP/UDP applications and divide the application data into distinct buffers. One of those service inspectors that does exactly this is the "HTTP inspector".

Whenever HTTP traffic is detected in a packet, the HTTP service inspector scans the payload data to parse the different HTTP elements (e.g., URIs, headers, methods, etc.) and populates individual buffers with those different pieces. This powerful inspector allows rule writers to then develop rules with content matches targeting only specific parts of an HTTP packet.

Most HTTP options in Snort 3 rules are "sticky buffers", as opposed to content-modifiers like they were in Snort 2, meaning they should be placed before a content match option to set the desired buffer (e.g., http_uri; content:"/pizza.php";). In addition to these sticky buffers, there are also a few non-sticky-buffer HTTP rule options that are used to run checks on specific parts of an HTTP message.

This section goes over each of these rule options in great detail, describing how to use each one, what HTTP data is included in each sticky buffer, and how that data gets formatted in the different buffers.

Quick Reference

http_uriNormalized HTTP URI
http_raw_uriUnnormalized HTTP URI
http_headerNormalized HTTP headers
http_raw_headerUnnormalized HTTP headers
http_cookieNormalized HTTP cookies
http_raw_cookieUnnormalized HTTP cookies
http_client_bodyNormalized HTTP request body
http_raw_bodyUnnormalized HTTP request body and response data
http_paramSpecific HTTP parameter values
http_methodHTTP request methods
http_versionHTTP request and response versions
http_stat_codeHTTP response status codes
http_stat_msgHTTP response status messages
http_raw_requestUnnormalized HTTP start lines
http_raw_statusUnnormalized HTTP status lines
http_trailerNormalized HTTP trailers
http_raw_trailerUnnormalized HTTP trailers
http_true_ipOriginal client IP address as stored in various request proxy headers
http_version_matchNon-sticky buffer option used to test an HTTP message's version against a list of versions
http_num_headersNon-sticky buffer option used to test the number of HTTP headers against a specific value or a range of values
http_num_trailersNon-sticky buffer option used to test the number of HTTP trailers against a specific value or a range of values
http_num_cookiesNon-sticky buffer option used to test the number of HTTP cookies against a specific value or a range of values
Combining Request and Response DetectionExplains how to create rules that examine an HTTP response and the HTTP request associated with that response