http_cookie and http_raw_cookie
HTTP request and response Cookie values are placed into two sticky buffers, http_cookie and http_raw_cookie. The http_cookie buffer contains the normalized Cookie header values, whereas the http_raw_cookie buffer contains unnormalized ones.
The cookie normalization that occurs is also similar to the URI normalization and includes things like percent-decoding and path-simplification.
Snort 3 has also made http_cookie matches eligible for fast patterns.
If an HTTP request contains multiple Cookie headers, then each Cookie header value is extracted and placed into the two *_cookie buffers, with each full header value separated by commas.
For example, consider the following request with two Cookie headers:
Cookie: name=value; name2=value2; name3=value3
Cookie: name4=value4; name5=value5; name6=value6
Snort 3 will combine the two Cookie values and place them in the two buffers like so:
[http_cookie]
00000000 6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65 name=value; name
00000010 32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D 2=value2; name3=
00000020 76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C value3,name4=val
00000030 75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65 ue4; name5=value
00000040 35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36 5; name6=value6
and
[http_raw_cookie]
00000000 6E 61 6D 65 3D 76 61 6C 75 65 3B 20 6E 61 6D 65 name=value; name
00000010 32 3D 76 61 6C 75 65 32 3B 20 6E 61 6D 65 33 3D 2=value2; name3=
00000020 76 61 6C 75 65 33 2C 6E 61 6D 65 34 3D 76 61 6C value3,name4=val
00000030 75 65 34 3B 20 6E 61 6D 65 35 3D 76 61 6C 75 65 ue4; name5=value
00000040 35 3B 20 6E 61 6D 65 36 3D 76 61 6C 75 65 36 5; name6=value6
The same is also true for Set-Cookie headers.
http_cookie and http_raw_cookie also allow for an optional request argument, which is useful if writing detection that looks at both an HTTP client request and the HTTP server response to that request. More specifically, this request argument is used to signify that the http_cookie or http_raw_cookie match or matches should apply to the cookies from the request if other parts of the rule are examining the response. More information on this topic can be found on this page.
Note:
http_cookiematches are eligible for fast patterns, which is a change new to Snort 3.
Note: The "Cookie:" and "Set-Cookie:" portions of these headers are not included in either of the two
*_cookiebuffers.
http_cookie
Format:
http_cookie[:request];
Examples:
http_cookie;
content:"name=value",depth 10;
http_cookie;
content:"name=value",fast_pattern;
content:"name6=value6",distance 0;
http_raw_cookie
Format:
http_raw_cookie[:request];
Examples:
http_raw_cookie;
content:"name=value";
http_raw_cookie;
content:"name=";
content:"%60whoami",nocase,within 25;