HTTP Specific Options
Snort operates with a bevy of "service inspectors" that can identify specific TCP/UDP applications and divide the application data into distinct buffers. One of those service inspectors that does exactly this is the "HTTP inspector".
Whenever HTTP traffic is detected in a packet, the HTTP service inspector scans the payload data to parse the different HTTP elements (e.g., URIs, headers, methods, etc.) and populates individual buffers with those different pieces. This powerful inspector allows rule writers to then develop rules with content matches targeting only specific parts of an HTTP packet.
Most HTTP options in Snort 3 rules are "sticky buffers", as opposed to content-modifiers like they were in Snort 2, meaning they should be placed before a content match option to set the desired buffer (e.g., http_uri; content:"/pizza.php";). In addition to these sticky buffers, there are also a few non-sticky-buffer HTTP rule options that are used to run checks on specific parts of an HTTP message.
This section goes over each of these rule options in great detail, describing how to use each one, what HTTP data is included in each sticky buffer, and how that data gets formatted in the different buffers.
Quick Reference
| keyword | description |
|---|---|
| http_uri | Normalized HTTP URI |
| http_raw_uri | Unnormalized HTTP URI |
| http_header | Normalized HTTP headers |
| http_raw_header | Unnormalized HTTP headers |
| http_cookie | Normalized HTTP cookies |
| http_raw_cookie | Unnormalized HTTP cookies |
| http_client_body | Normalized HTTP request body |
| http_raw_body | Unnormalized HTTP request body and response data |
| http_param | Specific HTTP parameter values |
| http_method | HTTP request methods |
| http_version | HTTP request and response versions |
| http_stat_code | HTTP response status codes |
| http_stat_msg | HTTP response status messages |
| http_raw_request | Unnormalized HTTP start lines |
| http_raw_status | Unnormalized HTTP status lines |
| http_trailer | Normalized HTTP trailers |
| http_raw_trailer | Unnormalized HTTP trailers |
| http_true_ip | Original client IP address as stored in various request proxy headers |
| http_version_match | Non-sticky buffer option used to test an HTTP message's version against a list of versions |
| http_num_headers | Non-sticky buffer option used to test the number of HTTP headers against a specific value or a range of values |
| http_num_trailers | Non-sticky buffer option used to test the number of HTTP trailers against a specific value or a range of values |
| http_num_cookies | Non-sticky buffer option used to test the number of HTTP cookies against a specific value or a range of values |
| Combining Request and Response Detection | Explains how to create rules that examine an HTTP response and the HTTP request associated with that response |