http_raw_request and http_raw_status
The sticky buffers http_raw_request
and http_raw_status
contain the unmodified first line of HTTP request and HTTP response messages, respectively. These rule options are a safety valve in case one needs to do something that can't otherwise be done with the specific start and status-line buffers.
http_raw_request
Format:
http_raw_request;
Examples:
http_raw_request; content:"GET /robots.txt HTTP/1.1";
http_raw_request; content:"POST /totally_not_vulnerable.php HTTP/1.1";
http_raw_status
Format:
http_raw_status;
Examples:
http_raw_status; content:"HTTP/1.1 200 OK";
http_raw_status; content:"HTTP/1.1 404 Not Found";