In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer.
-The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
+The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
Example::
http_user_agent Modifier Request
http_host Modifier Request
http_raw_host Modifier Request
+http_accept Sticky Buffer Request
+http_accept_lang Sticky Buffer Request
+http_accept_enc Sticky Buffer Request
+http_referer Sticky Buffer Request
+http_connection Sticky Buffer Request
+http_content_type Sticky Buffer Both
+http_content_len Sticky Buffer Both
+http_start Sticky Buffer Both
+http_protocol Sticky Buffer Both
+http_header_names Sticky Buffer Both
============================== ======================== ==================
The following response keywords are available:
http_cookie Modifier Both
http_server_body Modifier Response
file_data Sticky Buffer Response
+http_content_type Sticky Buffer Both
+http_content_len Sticky Buffer Both
+http_start Sticky Buffer Both
+http_protocol Sticky Buffer Both
+http_header_names Sticky Buffer Both
============================== ======================== ==================
It is important to understand the structure of HTTP requests and
You can also append ``norm`` or ``raw`` to define what sort of buffer you want
to use (normalized or raw buffer).
+http_protocol
+-------------
+
+The ``http_protocol`` inspects the protocol field from the HTTP request or
+response line. If the request line is 'GET / HTTP/1.0\r\n', then this buffer
+will contain 'HTTP/1.0'.
+
+Example::
+
+ alert http any any -> any any (flow:to_server; http_protocol; content:"HTTP/1.0"; sid:1;)
+
http_request_line
-----------------
.. image:: http-keywords/user_agent_match.png
+http_accept
+-----------
+
+Sticky buffer to match on the HTTP Accept header. Only contains the header
+value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+ alert http any any -> any any (http_accept; content:"image/gif"; sid:1;)
+
+http_accept_enc
+---------------
+
+Sticky buffer to match on the HTTP Accept-Encoding header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+ alert http any any -> any any (http_accept_enc; content:"gzip"; sid:1;)
+
+
+http_accept_lang
+----------------
+
+Sticky buffer to match on the HTTP Accept-Language header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+ alert http any any -> any any (http_accept_lang; content:"en-us"; sid:1;)
+
+
+http_connection
+---------------
+
+Sticky buffer to match on the HTTP Connection header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+ alert http any any -> any any (http_connection; content:"keep-alive"; sid:1;)
+
+
+http_content_type
+-----------------
+
+Sticky buffer to match on the HTTP Content-Type headers. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Use flow:to_server or flow:to_client to force inspection of request or response.
+
+Examples::
+
+ alert http any any -> any any (flow:to_server; \
+ http_content_type; content:"x-www-form-urlencoded"; sid:1;)
+
+ alert http any any -> any any (flow:to_client; \
+ http_content_type; content:"text/javascript"; sid:2;)
+
+
+http_content_len
+----------------
+
+Sticky buffer to match on the HTTP Content-Length headers. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Use flow:to_server or flow:to_client to force inspection of request or response.
+
+Examples::
+
+ alert http any any -> any any (flow:to_server; \
+ http_content_len; content:"666"; sid:1;)
+
+ alert http any any -> any any (flow:to_client; \
+ http_content_len; content:"555"; sid:2;)
+
+To do a numeric inspection of the content length, ``byte_test`` can be used.
+
+Example, match if C-L is equal to or bigger than 8079::
+
+ alert http any any -> any any (flow:to_client; \
+ http_content_len; byte_test:0,>=,8079,0,string,dec; sid:3;)
+
+http_referer
+---------------
+
+Sticky buffer to match on the HTTP Referer header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+ alert http any any -> any any (http_referer; content:".php"; sid:1;)
+
+http_start
+----------
+
+Inspect the start of a HTTP request or response. This will contain the
+request/reponse line plus the request/response headers. Use flow:to_server
+or flow:to_client to force inspection of request or response.
+
+Example::
+
+ alert http any any -> any any (http_start; content:"HTTP/1.1|0d 0a|User-Agent"; sid:1;)
+
+The buffer contains the normalized headers and is terminated by an extra
+\\r\\n to indicate the end of the headers.
+
+http_header_names
+-----------------
+
+Inspect a buffer only containing the names of the HTTP headers. Useful
+for making sure a header is not present or testing for a certain order
+of headers.
+
+Buffer starts with a \\r\\n and ends with an extra \\r\\n.
+
+Example buffer::
+
+ \\r\\nHost\\r\\n\\r\\n
+
+Example rule::
+
+ alert http any any -> any any (http_header_names; content:"|0d 0a|Host|0d 0a|"; sid:1;)
+
+Example to make sure *only* Host is present::
+
+ alert http any any -> any any (http_header_names; \
+ content:"|0d 0a 0d 0a|Host|0d 0a 0d 0a|"; sid:1;)
+
+Example to make sure *User-Agent* is directly after *Host*::
+
+ alert http any any -> any any (http_header_names; \
+ content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|"; sid:1;)
+
+Example to make sure *User-Agent* is after *Host*, but not necessarily directly after::
+
+ alert http any any -> any any (http_header_names; \
+ content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \
+ distance:-2; sid:1;)
+
http_client_body
----------------
projects / thirdparty / suricata.git / commitdiff
