Differences From Snort
======================
-Overview
---------
This document is intended to highlight the major differences between Suricata
and Snort that apply to rules and rule writing.
Where not specified, the statements below apply to Suricata. In general,
references to Snort refer to the version 2.9 branch.
-Contents
---------
-
-.. contents::
-
Automatic Protocol Detection
----------------------------
-:tocdepth: 2
-
HTTP Keywords
=============
.. role:: example-rule-emphasis
alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
-The following request keywords are available:
+The following **request** keywords are available:
============================== ======================== ==================
Keyword Sticky or Modifier Direction
http_header_names Sticky Buffer Both
============================== ======================== ==================
-The following response keywords are available:
+The following **response** keywords are available:
============================== ======================== ==================
Keyword Sticky or Modifier Direction
http_header_names Sticky Buffer Both
============================== ======================== ==================
+HTTP Primer
+-----------
It is important to understand the structure of HTTP requests and
responses. A simple example of a HTTP request and response follows:
-HTTP request
-------------
+**HTTP request**
::
the versions 0.9, 1.0 and 1.1, 1.0 and 1.1 are the most commonly used
today.
-HTTP response
--------------
+**HTTP response**
::
.. image:: http-keywords/uri.png
-Example of the purpose of ``http_raw_uri``:
-
-#.. image:: http-keywords/raw_uri.png
-
uricontent
----------
projects / thirdparty / suricata.git / commitdiff
