From: jason taylor Date: Wed, 3 Jan 2024 22:04:23 +0000 (+0000) Subject: doc: update http.cookie keyword information X-Git-Tag: suricata-8.0.0-beta1~1546 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75c4cdfa1c3196f6b56bf03583e5157c7216df2f;p=thirdparty%2Fsuricata.git doc: update http.cookie keyword information Ticket: 3025 Signed-off-by: jason taylor --- diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index efcb7159d6..733ef7f6f1 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -368,34 +368,28 @@ Abnormal HTTP Header Example:: http.cookie ----------- -With the ``http.cookie`` sticky buffer it is possible to match -specifically on the HTTP cookie contents. Keywords like ``depth``, -``distance``, ``offset``, ``nocase`` and ``within`` can be used -with ``http.cookie``. +The ``http.cookie`` keyword is used to match on the cookie field that can be +present in HTTP request (Cookie) or HTTP response (Set-Cookie) headers. -Note that cookies are passed in HTTP headers but Suricata extracts -the cookie data to ``http.cookie`` and will not match cookie content -put in the ``http.header`` sticky buffer. - -Example of a cookie in a HTTP request: +It is possible to use any of the :doc:`payload-keywords` with both ``http.header`` +keywords. -Examples:: +.. note:: Cookies are passed in HTTP headers but Suricata extracts the cookie + data to ``http.cookie`` and will not match cookie content put in the + :ref:`http.header` sticky buffer. - GET / HTTP/1.1 - User-Agent: Mozilla/5.0 - Host: www.example.com - Cookie: PHPSESSIONID=1234 - Connection: close +Example HTTP Request:: -Example ``http.cookie`` keyword in a signature: + GET /index.html HTTP/1.1 + User-Agent: Mozilla/5.0 + Cookie: PHPSESSION=123 + Host: suricata.io .. container:: example-rule - alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request - with Cookie"; flow:established,to_server; http.method; content:"GET"; - http.uri; content:"/"; fast_pattern; :example-rule-emphasis:`http.cookie; - content:"PHPSESSIONID="; startswith;` classtype:bad-unknown; sid:123; - rev:1;) + alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Cookie Example"; \ + flow:established,to_server; :example-rule-emphasis:`http.cookie; \ + content:"PHPSESSIONID=123";` bsize:14; classtype:bad-unknown; sid:80; rev:1;) .. _http.user_agent: