http_header and http_raw_header
Snort makes HTTP request and response headers available in two sticky buffers,
http_header buffer contains the normalized request/response headers, whereas the
http_raw_header buffer contains unnormalized ones.
The header normalization that occurs is similar to the URI normalization and includes things like percent-decoding and path-simplification.
Snort 3 also allows users the ability to look for content matches in specific HTTP header fields with the optional
field header_name argument. This option is specified with a colon character after
http_header, followed by the word "field", and lastly followed by the specific header field name (which is case-insensitive). For example:
Specifying individual headers like this creates a more efficient and accurate rule.
http_header; content:"User-Agent: abcip",fast_pattern,nocase; content:"Accept-Language: en-us",nocase,distance 0;
# http_header field name arguments are case-insensitive http_header:field user-agent; content:"abcip";
http_raw_header; content:"Accept-Language: en-us",fast_pattern,nocase;
http_raw_header; content:"Accept-Language:",fast_pattern,nocase; content:"%60whoami",within 30;