http_cookie and http_raw_cookie

HTTP request and response Cookie values are placed into two sticky buffers, http_cookie and http_raw_cookie. The http_cookie buffer contains the normalized Cookie header values, whereas the http_raw_cookie buffer contains unnormalized ones.

The cookie normalization that occurs is also similar to the URI normalization and includes things like percent-decoding and path-simplification.

Snort 3 has also made http_cookie matches eligible for fast patterns.

If an HTTP request contains multiple Cookie headers, then each Cookie header value is extracted and placed into the two *_cookie buffers, with each full header value separated by commas.

For example, consider the following request with two Cookie headers:

Cookie: name=value; name2=value2; name3=value3
Cookie: name4=value4; name5=value5; name6=value6

Snort 3 will combine the two Cookie values and place them in the two buffers like so:

[http_cookie]
00000000  6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65  name=value; name
00000010  32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D  2=value2; name3=
00000020  76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C  value3,name4=val
00000030  75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65  ue4; name5=value
00000040  35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36     5; name6=value6

and

[http_raw_cookie]
00000000  6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65  name=value; name
00000010  32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D  2=value2; name3=
00000020  76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C  value3,name4=val
00000030  75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65  ue4; name5=value
00000040  35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36     5; name6=value6

The same is also true for Set-Cookie headers.

http_cookie and http_raw_cookie also allow for an optional request argument, which is useful if writing detection that looks at both an HTTP client request and the HTTP server response to that request. More specifically, this request argument is used to signify that the http_cookie or http_raw_cookie match or matches should apply to the cookies from the request if other parts of the rule are examining the response. More information on this topic can be found on this page.

Note: http_cookie matches are eligible for fast patterns, which is a change new to Snort 3.

Note: The "Cookie:" and "Set-Cookie:" portions of these headers are not included in either of the two *_cookie buffers.

Format:

http_cookie[:request];

Examples:

http_cookie;
content:"name=value",depth 10;
http_cookie;
content:"name=value",fast_pattern;
content:"name6=value6",distance 0;

Format:

http_raw_cookie[:request];

Examples:

http_raw_cookie;
content:"name=value";
http_raw_cookie; 
content:"name=";
content:"%60whoami",nocase,within 25;