http_header and http_raw_header

Snort makes HTTP request and response headers available in two sticky buffers, http_header and http_raw_header. The http_header buffer contains the normalized request/response headers, whereas the http_raw_header buffer contains unnormalized ones.

The header normalization that occurs is similar to the URI normalization and includes things like percent-decoding and path-simplification.

Snort 3 also allows users the ability to look for content matches in specific HTTP header fields with the optional field header_name argument. This option is specified with a colon character after http_header, followed by the word "field", and lastly followed by the specific header field name (which is case-insensitive). For example:

http_header:field user-agent;

Specifying individual headers like this creates a more efficient and accurate rule.

http_header and http_raw_header also allow for an optional request argument, which is useful if writing detection that looks at both an HTTP client request and the HTTP server response to that request. More specifically, this request argument is used to signify that the http_header or http_raw_header match or matches should apply to the headers from the request if other parts of the rule are examining the response. More information on this topic can be found on this page.

http_header

Format:

http_header[:field header_name][,request];

Examples:

http_header;
content:"User-Agent: abcip",fast_pattern,nocase;
content:"Accept-Language: en-us",nocase,distance 0;

# http_header field name arguments are case-insensitive
http_header:field user-agent;
content:"abcip";

http_raw_header

Format:

http_raw_header[:field header_name][,request];

Examples:

http_raw_header;
content:"Accept-Language: en-us",fast_pattern,nocase;

http_raw_header;
content:"Accept-Language:",fast_pattern,nocase;
content:"%60whoami",within 30;