http_raw_request and http_raw_status

The sticky buffers http_raw_request and http_raw_status contain the unmodified first line of HTTP request and HTTP response messages, respectively. These rule options are a safety valve in case one needs to do something that can't otherwise be done with the specific start and status-line buffers.

http_raw_request

Format:

http_raw_request;

Examples:

http_raw_request; content:"GET /robots.txt HTTP/1.1";

http_raw_request; content:"POST /totally_not_vulnerable.php HTTP/1.1";

http_raw_status

Format:

http_raw_status;

Examples:

http_raw_status; content:"HTTP/1.1 200 OK";

http_raw_status; content:"HTTP/1.1 404 Not Found";