http_header and http_raw_header
Snort makes HTTP request and response headers available in two sticky buffers, http_header
and http_raw_header
. The http_header
buffer contains the normalized request/response headers, whereas the http_raw_header
buffer contains unnormalized ones.
The header normalization that occurs is similar to the URI normalization and includes things like percent-decoding and path-simplification.
Snort 3 also allows users the ability to look for content matches in specific HTTP header fields with the optional field header_name
argument. This option is specified with a colon character after http_header
, followed by the word "field", and lastly followed by the specific header field name (which is case-insensitive). For example:
http_header:field user-agent;
Specifying individual headers like this creates a more efficient and accurate rule.
http_header
Format:
http_header[:field header_name];
Examples:
http_header;
content:"User-Agent: abcip",fast_pattern,nocase;
content:"Accept-Language: en-us",nocase,distance 0;
# http_header field name arguments are case-insensitive
http_header:field user-agent; content:"abcip";
http_raw_header
Format:
http_raw_header[:field header_name];
Examples:
http_raw_header; content:"Accept-Language: en-us",fast_pattern,nocase;
http_raw_header;
content:"Accept-Language:",fast_pattern,nocase;
content:"%60whoami",within 30;