http_param
Rule writers can access the value of a specific HTTP parameter with the http_param
sticky buffer. This buffer will contain only the value of the specified parameter. This option is perfect for when rule-writers want to match a particular parameter's value but aren't sure if that parameter is sent via the URI or the client body.
The http_param
buffer will be populated with the specified parameter's value whenever that parameter appears in either a query string sent via the URL or in a urlencoded form (key-value pair) sent in the client body. http_param
currently does not support multipart/form-data requests, and so a separate rule that does not use http_param
would be needed in order to detect a parameter sent using a multipart request.
The parameter value will be URL decoded but not path normalized. The parameter name argument is case-sensitive by default, but Snort can be instructed to ignore case by adding ,nocase
after the param name.
For example, given a request like /food.php?favoriteFood=pizza
, users can set the http_param
argument to favoriteFood
to look only at that param's value.
It is also recommended that rule writers make the first rule option used after http_param
"relative" by adding either distance 0
to a content match or adding the R
flag to a pcre. This is because http_param
by default will look at only the first instance of the specified parameter in the request, even if that parameter "key" appears multiple times. Making the first option relative instructs Snort to look at all instances of that parameter.
Note:
http_param
matches are not eligible to be used as fast patterns.
Format:
http_param:"param_name"[,nocase];
Examples:
http_param:"favoriteFood",nocase;
# note the "distance 0" relative modifier used to make the option relative
content:"pizza",nocase,distance 0;
http_uri;
content:"/food.php",fast_pattern,nocase;
http_param:"favoriteFood",nocase;
# note the 'R' flag used to make the option relative
pcre:"/([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/R";