http_num_cookies

The http_num_cookies rule option is used to compare the number of HTTP cookies present in an HTTP packet against a specific value.

This rule option works against HTTP requests and HTTP responses, and users can check for the number of cookies present in a Cookie: header or in a Set-Cookie: header.

For example, the following Cookie: header has two cookies:

GET /cookies HTTP/1.1
Host: www.cookie-store.com
Cookie: SID=31d4d96e407aad42; lang=en-US

Users can check whether the total number of cookies present is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value.

Additionally, users can also use http_num_cookies to look for a count value that is between two numbers. This is done by setting the sign to <> or <=> and putting the minimum count to the left of the sign and the maximum count to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Valid http_num_cookies number values are 0 through 65535 (inclusive).

Note that you can also optionally add ,request to the rule option to only count the number of request cookies, even when examining the response.

Format:

Single value comparison:
http_num_cookies:[<|>|=|!|<=|>=]count[,request];
Range comparison:
http_num_cookies:min_count{<>|<=>}max_count[,request];

Examples:

# Look for an HTTP packet containing more than 100 cookies
http_num_cookies:>100;
# Look for an HTTP packet containing exactly 100 cookies
http_num_cookies:100;
# Look for an HTTP packet containing somewhere between
# 50 and 100 cookies (exclusive)
http_num_cookies:50<>100;