http_client_body and http_raw_body
Snort places HTTP message data into two sticky buffers,
http_raw_body. The former contains normalized message request data, while the latter contains unnormalized request and response message data.
The request data normalization that occurs is also similar to the URI normalization and includes things like percent-decoding and path-simplification.
Snort is also able to decompress request and response data (e.g., gzip-compression), and so it will, depending on one's configuration, place the decompressed data in both the
http_raw_body buffers. Furthermore, the
http_raw_body will contain de-chunked and decompressed data if applicable, but it will not be modified/normalized in any other way.
http_client_body; content:"pizza_type=",fast_pattern,nocase; content:"../",within 20;
http_raw_body; content:"pizza_type=",nocase; content:"%2e%2e",nocase,distance 0;