http_client_body and http_raw_body

Snort places HTTP message data into two sticky buffers, http_client_body and http_raw_body. The former contains normalized message request data, while the latter contains unnormalized request and response message data.

The request data normalization that occurs is also similar to the URI normalization and includes things like percent-decoding and path-simplification.

Snort is also able to decompress request and response data (e.g., gzip-compression), and so it will, depending on one's configuration, place the decompressed data in both the http_client_body and http_raw_body buffers. Furthermore, the http_raw_body will contain de-chunked and decompressed data if applicable, but it will not be modified/normalized in any other way.

http_client_body

Format:

http_client_body;

Examples:

http_client_body;
content:"user=root",fast_pattern,nocase;

http_client_body;
content:"pizza_type=",fast_pattern,nocase;
content:"../",within 20;

http_raw_body

Format:

http_raw_body;

Examples:

http_raw_body;
content:"user=root",nocase;

http_raw_body; 
content:"pizza_type=",nocase;
content:"%2e%2e",nocase,distance 0;

Snort 3 Rule Writing Guide

http_client_body and http_raw_body

http_client_body

Format:

Examples:

http_raw_body

Format:

Examples: