http_header and http_raw_header

Snort makes HTTP request and response headers available in two sticky buffers, http_header and http_raw_header. The http_header buffer contains the normalized request/response headers, whereas the http_raw_header buffer contains unnormalized ones.

The header normalization that occurs is similar to the URI normalization and includes things like percent-decoding and path-simplification.

Snort 3 also allows users the ability to look for content matches in specific HTTP header fields with the optional field header_name argument. This option is specified with a colon character after http_header, followed by the word "field", and lastly followed by the specific header field name (which is case-insensitive). For example:

http_header:field user-agent;

Specifying individual headers like this creates a more efficient and accurate rule.

http_header

Format:

http_header[:field header_name];

Examples:

http_header; 
content:"User-Agent: abcip",fast_pattern,nocase;
content:"Accept-Language: en-us",nocase,distance 0;
# http_header field name arguments are case-insensitive
http_header:field user-agent; content:"abcip";

http_raw_header

Format:

http_raw_header[:field header_name];

Examples:

http_raw_header; content:"Accept-Language: en-us",fast_pattern,nocase;
http_raw_header; 
content:"Accept-Language:",fast_pattern,nocase;
content:"%60whoami",within 30;