http.request_body
-----------------
-With the ``http.request_body`` sticky buffer, it is possible to
-match specifically and only on the HTTP request body. The keyword can
-be used in combination with all previously mentioned content modifiers
-like ``distance``, ``offset``, ``nocase``, ``within``, etc.
+The ``http.request_body`` keyword is used to match on the HTTP request body
+that can be present in an HTTP request.
+
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.request_body`` keyword.
+
+Example HTTP Request::
+
+ POST /suricata.php HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Host: suricata.io
+ Content-Length: 23
+ Connection: Keep-Alive
-Example of ``http.request_body`` in a HTTP request:
+ Suricata request body
+.. container:: example-rule
-Example of the purpose of ``http.client_body``:
+ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request Body Example"; \
+ flow:established,to_server; :example-rule-options:`http.request_body; \
+ content:"Suricata request body";` classtype:bad-unknown; sid:115; rev:1;)
-Note: how much of the request/client body is inspected is controlled
-in the :ref:`libhtp configuration section
-<suricata-yaml-configure-libhtp>` via the ``request-body-limit``
-setting.
+.. note:: How much of the request/client body is inspected is controlled
+ in the :ref:`libhtp configuration section
+ <suricata-yaml-configure-libhtp>` via the ``request-body-limit``
+ setting.
-``http.request_body`` replaces the previous keyword name: ```http_client_body``. You may continue
-+to use the previous name, but it's recommended that rules be converted to use
-+the new name.
+.. note:: ``http.request_body`` replaces the previous keyword name,
+ ``http_client_body``. ``http_client_body`` can still be used but it is
+ recommended that rules be converted to use ``http.request_body``.
.. _http.stat_code:
projects / thirdparty / suricata.git / commitdiff
