http_cookie and http_raw_cookie

HTTP request and response Cookie values are placed into two sticky buffers, http_cookie and http_raw_cookie. The http_cookie buffer contains the normalized Cookie header values, whereas the http_raw_cookie buffer contains unnormalized ones.

The cookie normalization that occurs is also similar to the URI normalization and includes things like percent-decoding and path-simplification.

Snort 3 has also made http_cookie matches eligible for fast patterns.

If an HTTP request contains multiple Cookie headers, then each Cookie header value is extracted and placed into the two *_cookie buffers, with each full header value separated by commas.

For example, consider the following request with two Cookie headers:

Cookie: name=value; name2=value2; name3=value3
Cookie: name4=value4; name5=value5; name6=value6

Snort 3 will combine the two Cookie values and place them in the two buffers like so:

[http_cookie]
00000000  6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65  name=value; name
00000010  32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D  2=value2; name3=
00000020  76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C  value3,name4=val
00000030  75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65  ue4; name5=value
00000040  35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36     5; name6=value6

and

[http_raw_cookie]
00000000  6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65  name=value; name
00000010  32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D  2=value2; name3=
00000020  76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C  value3,name4=val
00000030  75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65  ue4; name5=value
00000040  35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36     5; name6=value6

The same is also true for Set-Cookie headers.

Note: http_cookie matches are eligible for fast patterns, which is a change new to Snort 3.

Note: The "Cookie:" and "Set-Cookie:" portions of these headers are not included in either of the two *_cookie buffers.

Format:

http_cookie;

Examples:

http_cookie; content:"name=value",depth 10;
http_cookie;
content:"name=value",fast_pattern;
content:"name6=value6",distance 0;

Format:

http_raw_cookie;

Examples:

http_raw_cookie; content:"name=value";
http_raw_cookie; 
content:"name=";
content:"%60whoami",nocase,within 25;