http_header and http_raw_header

Snort makes HTTP request and response headers available in two sticky buffers, http_header and http_raw_header. The http_header buffer contains the normalized request/response headers, whereas the http_raw_header buffer contains unnormalized ones.

The header normalization that occurs is similar to the URI normalization and includes things like percent-decoding and path-simplification.

Snort 3 also allows users the ability to look for content matches in specific HTTP header fields with the optional field header_name argument. This option is specified with a colon character after http_header, followed by the word "field", and lastly followed by the specific header field name (which is case-insensitive). For example, the following sets a sticky buffer that points to the value of the "User-Agent" HTTP header:

http_header:field user-agent;

Specifying individual headers like this creates a more efficient and targeted rule, however, not all headers can be used in this manner. A list of header fields that support this is available at the end of this page.

http_header and http_raw_header also allow for an optional request argument, which is useful if writing detection that looks at both an HTTP client request and the HTTP server response to that request. More specifically, this request argument is used to signify that the http_header or http_raw_header match or matches should apply to the headers from the request if other parts of the rule are examining the response. More information on this topic can be found on this page.

http_header

Format:

http_header[:field header_name][,request];

Examples:

http_header;
content:"User-Agent: abcip",fast_pattern,nocase;
content:"Accept-Language: en-us",nocase,distance 0;

# http_header field name arguments are case-insensitive
http_header:field user-agent;
content:"python-requests";

http_raw_header

Format:

http_raw_header[:field header_name][,request];

Note: Use of the field argument with http_raw_header requires at least Snort v3.1.11.0.

Examples:

http_raw_header;
content:"Accept-Language: en-us",fast_pattern,nocase;

http_raw_header;
content:"Accept-Language:",fast_pattern,nocase;
content:"%60whoami",within 30;

http_header:field supported headers

The following is a list of HTTP header fields that can be used with the http_header:field <header_name> and http_raw_header:field <header_name> syntaxes.

cache-control
connection
date
pragma
trailer
cookie
set-cookie
transfer-encoding
upgrade
via
warning
accept
accept-charset
accept-encoding
accept-language
authorization
expect
from
host
if-match
if-modified-since
if-none-match
if-range
if-unmodified-since
max-forwards
proxy-authorization
range
referer
te
user-agent
accept-ranges
age
etag
location
proxy-authenticate
retry-after
server
vary
www-authenticate
allow
content-encoding
content-language
content-length
content-location
content-md5
content-range
content-type
expires
last-modified
x-forwarded-for
true-client-ip
x-working-with
content-transfer-encoding
mime-version
proxy-agent
content-disposition (added in Snort v3.1.0.0)
http2-settings (added in Snort v3.1.3.0)
restrict-access-to-tenants (added in Snort v3.1.27.0)
restrict-access-context (added in Snort v3.1.27.0)
origin (added in Snort v3.3.1.0)
forwarded (added in Snort v3.4.0.0)
x-forwarded-from (added in Snort v3.4.0.0)
client-ip (added in Snort v3.4.0.0)
xroxy-connection (added in Snort v3.4.0.0)
proxy-connection (added in Snort v3.4.0.0)