http_trailer and http_raw_trailer

HTTP allows header lines to appear after a chunked body ends, and those are referred to as "trailers". Snort makes these trailers available via the http_trailer and http_raw_trailer sticky buffers. These are identical to their *_header counterparts but apply to end headers instead.

Take the following chunked response, for example:

HTTP/1.1 200 OK
Host:abcip-host.local
Content-Type: text/plain
Transfer-Encoding: chunked
Trailer: Expires

7
Mozilla
9
Developer
7
Network
0
Expires: Wed, 21 Oct 2015 07:28:00 GMT

The http_trailer and http_raw_trailer buffers will set to the first Trailer header, which in this case is Expires:

[http_trailer]
00000000  45 78 70 69 72 65 73 3A 20 57 65 64 2C 20 32 31  Expires: Wed, 21
00000010  20 4F 63 74 20 32 30 31 35 20 30 37 3A 32 38 3A   Oct 2015 07:28:
00000020  30 30 20 47 4D 54                                00 GMT

Like with http_header, users can tell Snort to look at only a particular trailer field, with the optional field argument.

http_trailer

Format:

http_trailer[:field field_name];

Examples:

http_trailer; content:"Expires:";

http_trailer; 
content:"Expires:";
content:"2015", within 30;

http_raw_trailer

Format:

http_raw_trailer;

Examples:

http_raw_trailer; content:"Expires:";

http_raw_trailer; 
content:"Expires:";
content:"2015", within 30;