http_cookie and http_raw_cookie
HTTP request and response Cookie values are placed into two sticky buffers, http_cookie
and http_raw_cookie
. The http_cookie
buffer contains the normalized Cookie header values, whereas the http_raw_cookie
buffer contains unnormalized ones.
The cookie normalization that occurs is also similar to the URI normalization and includes things like percent-decoding and path-simplification.
Snort 3 has also made http_cookie
matches eligible for fast patterns.
If an HTTP request contains multiple Cookie headers, then each Cookie header value is extracted and placed into the two *_cookie
buffers, with each full header value separated by commas.
For example, consider the following request with two Cookie headers:
Cookie: name=value; name2=value2; name3=value3
Cookie: name4=value4; name5=value5; name6=value6
Snort 3 will combine the two Cookie values and place them in the two buffers like so:
[http_cookie]
00000000 6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65 name=value; name
00000010 32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D 2=value2; name3=
00000020 76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C value3,name4=val
00000030 75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65 ue4; name5=value
00000040 35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36 5; name6=value6
and
[http_raw_cookie]
00000000 6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65 name=value; name
00000010 32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D 2=value2; name3=
00000020 76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C value3,name4=val
00000030 75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65 ue4; name5=value
00000040 35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36 5; name6=value6
The same is also true for Set-Cookie headers.
Note:
http_cookie
matches are eligible for fast patterns, which is a change new to Snort 3.
Note: The "Cookie:" and "Set-Cookie:" portions of these headers are not included in either of the two
*_cookie
buffers.
http_cookie
Format:
http_cookie;
Examples:
http_cookie; content:"name=value",depth 10;
http_cookie;
content:"name=value",fast_pattern;
content:"name6=value6",distance 0;
http_raw_cookie
Format:
http_raw_cookie;
Examples:
http_raw_cookie; content:"name=value";
http_raw_cookie;
content:"name=";
content:"%60whoami",nocase,within 25;