http.cookie
-----------
-With the ``http.cookie`` sticky buffer it is possible to match
-specifically on the HTTP cookie contents. Keywords like ``depth``,
-``distance``, ``offset``, ``nocase`` and ``within`` can be used
-with ``http.cookie``.
+The ``http.cookie`` keyword is used to match on the cookie field that can be
+present in HTTP request (Cookie) or HTTP response (Set-Cookie) headers.
-Note that cookies are passed in HTTP headers but Suricata extracts
-the cookie data to ``http.cookie`` and will not match cookie content
-put in the ``http.header`` sticky buffer.
-
-Example of a cookie in a HTTP request:
+It is possible to use any of the :doc:`payload-keywords` with both ``http.header``
+keywords.
-Examples::
+.. note:: Cookies are passed in HTTP headers but Suricata extracts the cookie
+ data to ``http.cookie`` and will not match cookie content put in the
+ :ref:`http.header` sticky buffer.
- GET / HTTP/1.1
- User-Agent: Mozilla/5.0
- Host: www.example.com
- Cookie: PHPSESSIONID=1234
- Connection: close
+Example HTTP Request::
-Example ``http.cookie`` keyword in a signature:
+ GET /index.html HTTP/1.1
+ User-Agent: Mozilla/5.0
+ Cookie: PHPSESSION=123
+ Host: suricata.io
.. container:: example-rule
- alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request
- with Cookie"; flow:established,to_server; http.method; content:"GET";
- http.uri; content:"/"; fast_pattern; :example-rule-emphasis:`http.cookie;
- content:"PHPSESSIONID="; startswith;` classtype:bad-unknown; sid:123;
- rev:1;)
+ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Cookie Example"; \
+ flow:established,to_server; :example-rule-emphasis:`http.cookie; \
+ content:"PHPSESSIONID=123";` bsize:14; classtype:bad-unknown; sid:80; rev:1;)
.. _http.user_agent:
projects / thirdparty / suricata.git / commitdiff
