http_param

Rule writers can access the value of a specific HTTP parameter with the http_param sticky buffer. This buffer will contain only the value of the specified parameter. This option is perfect for when rule-writers want to match a particular parameter's value but aren't sure if that parameter is sent via the URI or the client body.

The parameter value will be normalized like values are in http_uri and http_client_body. The parameter name argument is case-sensitive by default, but Snort can be instructed to ignore case by adding ,nocase after the param name.

For example, given a request like /food.php?favoriteFood=pizza, users can set the http_param argument to favoriteFood to look only at that param's value.

Note: http_param matches are not eligible to be used as fast patterns.

Format:

http_param:"param_name"[,nocase];

Examples:

http_param:"favoriteFood",nocase;
content:"pizza",nocase;

http_uri;
content:"/food.php",fast_pattern,nocase;
http_param:"favoriteFood",nocase;
content:"pizza",nocase;