Rule writers can access the value of a specific HTTP parameter with the
http_param sticky buffer. This buffer will contain only the value of the specified parameter. This option is perfect for when rule-writers want to match a particular parameter's value but aren't sure if that parameter is sent via the URI or the client body.
The parameter value will be normalized like values are in
http_client_body. The parameter name argument is case-sensitive by default, but Snort can be instructed to ignore case by adding
,nocase after the param name.
For example, given a request like
/food.php?favoriteFood=pizza, users can set the
http_param argument to
favoriteFood to look only at that param's value.
http_parammatches are not eligible to be used as fast patterns.
http_uri; content:"/food.php",fast_pattern,nocase; http_param:"favoriteFood",nocase; content:"pizza",nocase;