classtype:bad-unknown; sid:30; rev:1;)
Request Keywords:
- * http.uri
- * http.uri.raw
- * http.method
- * http.request_line
- * http.request_body
- * http.cookie
- * http.user_agent
- * http.host
- * http.host.raw
- * http.accept
- * http.accept_lang
- * http.accept_enc
- * http.referer
- * file.name
+ * :ref:`http.uri`
+ * :ref:`http.method`
+ * :ref:`http.request_line`
+ * :ref:`http.request_body`
+ * :ref:`http.user_agent`
+ * :ref:`http.host`
+ * :ref:`http.accept`
+ * :ref:`http.accept_lang`
+ * :ref:`http.accept_enc`
+ * :ref:`http.referer`
+ * :ref:`file.name`
Response Keywords:
- * http.stat_msg
- * http.stat_code
- * http.response_line
- * http.response_body
- * http.server
- * http.location
+ * :ref:`http.stat_msg`
+ * :ref:`http.stat_code`
+ * :ref:`http.response_line`
+ * :ref:`http.response_body`
+ * :ref:`http.server`
+ * :ref:`http.location`
Request or Response Keywords:
- * file.data
- * http.content_type
- * http.content_len
- * http.start
- * http.protocol
- * http.header_names
- * http.header
- * http.header.raw
- * http.cookie
+ * :ref:`file.data`
+ * :ref:`http.content_type`
+ * :ref:`http.content_len`
+ * :ref:`http.start`
+ * :ref:`http.protocol`
+ * :ref:`http.header_names`
+ * :ref:`http.header`
+ * :ref:`http.cookie`
Although cookies are sent in an HTTP header, you can not match on them
with the ``http.header`` keyword. Cookies are matched with their own
buffer. You can not relate content matches against different buffers
with relative modifiers.
+.. _http.method:
+
http.method
-----------
.. _rules-http-uri-normalization:
+.. _http.uri:
+
+.. _http.uri.raw:
+
http.uri and http.uri.raw
-------------------------
content sticky buffer be used rather than the deprecated ``uricontent``
keyword.
+.. _urilen:
+
urilen
------
You can also append ``norm`` or ``raw`` to define what sort of buffer you want
to use (normalized or raw buffer).
+.. _http.protocol:
+
http.protocol
-------------
alert http any any -> any any (flow:to_server; http.protocol; content:"HTTP/1.0"; sid:1;)
+.. _http.request_line:
+
http.request_line
-----------------
alert http any any -> any any (http.request_line; content:"GET / HTTP/1.0"; sid:1;)
+.. _http.header:
+
+.. _http.header.raw:
+
http.header and http.header.raw
-------------------------------
Example of the purpose of ``http.header``:
-
+.. _http.cookie:
http.cookie
-----------
content:"PHPSESSIONID="; startswith;` classtype:bad-unknown; sid:123;
rev:1;)
+.. _http.user_agent:
+
http.user_agent
---------------
- `https://blog.inliniac.net/2012/07/09/suricata-http\_user\_agent-vs-http\_header/ <https://blog.inliniac.net/2012/07/09/suricata-http_user_agent-vs-http_header/>`_
+.. _http.accept:
+
http.accept
-----------
alert http any any -> any any (http.accept; content:"image/gif"; sid:1;)
+.. _http.accept_enc:
+
http.accept_enc
---------------
alert http any any -> any any (http.accept_enc; content:"gzip"; sid:1;)
+.. _http.accept_lang:
http.accept_lang
----------------
alert http any any -> any any (http.accept_lang; content:"en-us"; sid:1;)
+.. _http.connection:
http.connection
---------------
alert http any any -> any any (http.connection; content:"keep-alive"; sid:1;)
+.. _http.content_type:
http.content_type
-----------------
alert http any any -> any any (flow:to_client; \
http.content_type; content:"text/javascript"; sid:2;)
+.. _http.content_len:
http.content_len
----------------
alert http any any -> any any (flow:to_client; \
http.content_len; byte_test:0,>=,8079,0,string,dec; sid:3;)
+.. _http.referer:
+
http.referer
---------------
alert http any any -> any any (http.referer; content:".php"; sid:1;)
+.. _http.start:
+
http.start
----------
The buffer contains the normalized headers and is terminated by an extra
\\r\\n to indicate the end of the headers.
+.. _http.header_names:
+
http.header_names
-----------------
content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \
distance:-2; sid:1;)
+.. _http.request_body:
+
http.request_body
-----------------
+to use the previous name, but it's recommended that rules be converted to use
+the new name.
+.. _http.stat_code:
+
http.stat_code
--------------
Example of the purpose of ``http.stat_code``:
+.. _http.stat_msg:
http.stat_msg
-------------
Example of the purpose of ``http.stat_msg``:
+.. _http.response_line:
http.response_line
------------------
alert http any any -> any any (http.response_line; content:"HTTP/1.0 200 OK"; sid:1;)
+.. _http.response_body:
+
http.response_body
------------------
+to use the previous name, but it's recommended that rules be converted to use
+the new name.
+.. _http.server:
+
http.server
-----------
alert http any any -> any any (flow:to_client; \
http.server; content:"Microsoft-IIS/6.0"; sid:1;)
+.. _http.location:
+
http.location
-------------
alert http any any -> any any (flow:to_client; \
http.location; content:"http://www.google.com"; sid:1;)
+.. _http.host:
+
+.. _http.host.raw:
+
http.host and http.host.raw
---------------------------
The ``nocase`` keyword is not allowed anymore. Keep in mind that you need
to specify a lowercase pattern.
+.. _http.request_header:
+
http.request_header
-------------------
``http.request_header`` can be used as ``fast_pattern``.
+.. _http.response_header:
http.response_header
--------------------
- Corresponding PCRE modifier (``http_host``): ``W``
- Corresponding PCRE modifier (``http_raw_host``): ``Z``
+.. _file.data:
+
file.data
---------
``file.data`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+.. _file.name:
+
file.name
---------
projects / thirdparty / suricata.git / commitdiff
