http_version

Snort parses the HTTP version from request and response start/status lines and makes it accessible to rule-writers via the http_version sticky buffer. This is usually HTTP/1.0 or HTTP/1.1.

http_version also allows for an optional request argument, which is useful if writing detection that looks at both an HTTP client request and the HTTP server response to that request. More specifically, this request argument is used to signify that the http_version match or matches should apply to the HTTP version from the request if other parts of the rule are examining the response. More information on this topic can be found on this page.

Format:

http_version[:request];

Examples:

http_version;
content:"HTTP/1.1";
http_version;
content:"HTTP/1.0";