http_trailer and http_raw_trailer

HTTP allows header lines to appear after a chunked body ends, and those are referred to as "trailers". Snort makes these trailers available via the http_trailer and http_raw_trailer sticky buffers. These are identical to their *_header counterparts but apply to end headers instead.

Take the following chunked response, for example:

HTTP/1.1 200 OK
Host:abcip-host.local
Content-Type: text/plain
Transfer-Encoding: chunked
Trailer: Expires

7
Mozilla
9
Developer
7
Network
0
Expires: Wed, 21 Oct 2015 07:28:00 GMT

The http_trailer and http_raw_trailer buffers will set to the first Trailer header, which in this case is Expires:

[http_trailer]
00000000  45 78 70 69 72 65 73 3A 20 57 65 64 2C 20 32 31  Expires: Wed, 21
00000010  20 4F 63 74 20 32 30 31 35 20 30 37 3A 32 38 3A   Oct 2015 07:28:
00000020  30 30 20 47 4D 54                                00 GMT

Like with http_header, users can tell Snort to look at only a particular trailer field, with the optional field argument.

http_trailer and http_raw_trailer also allow for an optional request argument, which is useful if writing detection that looks at both an HTTP client request and the HTTP server response to that request. More specifically, this request argument is used to signify that the http_trailer or http_raw_trailer match or matches should apply to the HTTP trailers from the request if other parts of the rule are examining the response. More information on this topic can be found on this page.

http_trailer

Format:

http_trailer[:field field_name][,request];

Examples:

http_trailer;
content:"Expires:";

http_trailer; 
content:"Expires:";
content:"2015", within 30;

http_raw_trailer

Format:

http_raw_trailer[:field field_name][,request];

Examples:

http_raw_trailer;
content:"Expires:";

http_raw_trailer; 
content:"Expires:";
content:"2015", within 30;