|
|
|
|
@ -20,7 +20,7 @@ Example::
|
|
|
|
|
|
|
|
|
|
In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer.
|
|
|
|
|
|
|
|
|
|
The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
|
|
|
|
|
The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
@ -44,6 +44,16 @@ http_cookie Modifier Both
|
|
|
|
|
http_user_agent Modifier Request
|
|
|
|
|
http_host Modifier Request
|
|
|
|
|
http_raw_host Modifier Request
|
|
|
|
|
http_accept Sticky Buffer Request
|
|
|
|
|
http_accept_lang Sticky Buffer Request
|
|
|
|
|
http_accept_enc Sticky Buffer Request
|
|
|
|
|
http_referer Sticky Buffer Request
|
|
|
|
|
http_connection Sticky Buffer Request
|
|
|
|
|
http_content_type Sticky Buffer Both
|
|
|
|
|
http_content_len Sticky Buffer Both
|
|
|
|
|
http_start Sticky Buffer Both
|
|
|
|
|
http_protocol Sticky Buffer Both
|
|
|
|
|
http_header_names Sticky Buffer Both
|
|
|
|
|
============================== ======================== ==================
|
|
|
|
|
|
|
|
|
|
The following response keywords are available:
|
|
|
|
|
@ -59,6 +69,11 @@ http_raw_header Modifier Both
|
|
|
|
|
http_cookie Modifier Both
|
|
|
|
|
http_server_body Modifier Response
|
|
|
|
|
file_data Sticky Buffer Response
|
|
|
|
|
http_content_type Sticky Buffer Both
|
|
|
|
|
http_content_len Sticky Buffer Both
|
|
|
|
|
http_start Sticky Buffer Both
|
|
|
|
|
http_protocol Sticky Buffer Both
|
|
|
|
|
http_header_names Sticky Buffer Both
|
|
|
|
|
============================== ======================== ==================
|
|
|
|
|
|
|
|
|
|
It is important to understand the structure of HTTP requests and
|
|
|
|
|
@ -219,6 +234,17 @@ Example of ``urilen`` in a signature:
|
|
|
|
|
You can also append ``norm`` or ``raw`` to define what sort of buffer you want
|
|
|
|
|
to use (normalized or raw buffer).
|
|
|
|
|
|
|
|
|
|
http_protocol
|
|
|
|
|
-------------
|
|
|
|
|
|
|
|
|
|
The ``http_protocol`` inspects the protocol field from the HTTP request or
|
|
|
|
|
response line. If the request line is 'GET / HTTP/1.0\r\n', then this buffer
|
|
|
|
|
will contain 'HTTP/1.0'.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (flow:to_server; http_protocol; content:"HTTP/1.0"; sid:1;)
|
|
|
|
|
|
|
|
|
|
http_request_line
|
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
|
|
@ -301,6 +327,146 @@ Example of the purpose of ``http_user_agent``:
|
|
|
|
|
|
|
|
|
|
.. image:: http-keywords/user_agent_match.png
|
|
|
|
|
|
|
|
|
|
http_accept
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
Sticky buffer to match on the HTTP Accept header. Only contains the header
|
|
|
|
|
value. The \\r\\n after the header are not part of the buffer.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_accept; content:"image/gif"; sid:1;)
|
|
|
|
|
|
|
|
|
|
http_accept_enc
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
Sticky buffer to match on the HTTP Accept-Encoding header. Only contains the
|
|
|
|
|
header value. The \\r\\n after the header are not part of the buffer.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_accept_enc; content:"gzip"; sid:1;)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
http_accept_lang
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
Sticky buffer to match on the HTTP Accept-Language header. Only contains the
|
|
|
|
|
header value. The \\r\\n after the header are not part of the buffer.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_accept_lang; content:"en-us"; sid:1;)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
http_connection
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
Sticky buffer to match on the HTTP Connection header. Only contains the
|
|
|
|
|
header value. The \\r\\n after the header are not part of the buffer.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_connection; content:"keep-alive"; sid:1;)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
http_content_type
|
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
|
|
Sticky buffer to match on the HTTP Content-Type headers. Only contains the
|
|
|
|
|
header value. The \\r\\n after the header are not part of the buffer.
|
|
|
|
|
|
|
|
|
|
Use flow:to_server or flow:to_client to force inspection of request or response.
|
|
|
|
|
|
|
|
|
|
Examples::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (flow:to_server; \
|
|
|
|
|
http_content_type; content:"x-www-form-urlencoded"; sid:1;)
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (flow:to_client; \
|
|
|
|
|
http_content_type; content:"text/javascript"; sid:2;)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
http_content_len
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
Sticky buffer to match on the HTTP Content-Length headers. Only contains the
|
|
|
|
|
header value. The \\r\\n after the header are not part of the buffer.
|
|
|
|
|
|
|
|
|
|
Use flow:to_server or flow:to_client to force inspection of request or response.
|
|
|
|
|
|
|
|
|
|
Examples::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (flow:to_server; \
|
|
|
|
|
http_content_len; content:"666"; sid:1;)
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (flow:to_client; \
|
|
|
|
|
http_content_len; content:"555"; sid:2;)
|
|
|
|
|
|
|
|
|
|
To do a numeric inspection of the content length, ``byte_test`` can be used.
|
|
|
|
|
|
|
|
|
|
Example, match if C-L is equal to or bigger than 8079::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (flow:to_client; \
|
|
|
|
|
http_content_len; byte_test:0,>=,8079,0,string,dec; sid:3;)
|
|
|
|
|
|
|
|
|
|
http_referer
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
Sticky buffer to match on the HTTP Referer header. Only contains the
|
|
|
|
|
header value. The \\r\\n after the header are not part of the buffer.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_referer; content:".php"; sid:1;)
|
|
|
|
|
|
|
|
|
|
http_start
|
|
|
|
|
----------
|
|
|
|
|
|
|
|
|
|
Inspect the start of a HTTP request or response. This will contain the
|
|
|
|
|
request/reponse line plus the request/response headers. Use flow:to_server
|
|
|
|
|
or flow:to_client to force inspection of request or response.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_start; content:"HTTP/1.1|0d 0a|User-Agent"; sid:1;)
|
|
|
|
|
|
|
|
|
|
The buffer contains the normalized headers and is terminated by an extra
|
|
|
|
|
\\r\\n to indicate the end of the headers.
|
|
|
|
|
|
|
|
|
|
http_header_names
|
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
|
|
Inspect a buffer only containing the names of the HTTP headers. Useful
|
|
|
|
|
for making sure a header is not present or testing for a certain order
|
|
|
|
|
of headers.
|
|
|
|
|
|
|
|
|
|
Buffer starts with a \\r\\n and ends with an extra \\r\\n.
|
|
|
|
|
|
|
|
|
|
Example buffer::
|
|
|
|
|
|
|
|
|
|
\\r\\nHost\\r\\n\\r\\n
|
|
|
|
|
|
|
|
|
|
Example rule::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_header_names; content:"|0d 0a|Host|0d 0a|"; sid:1;)
|
|
|
|
|
|
|
|
|
|
Example to make sure *only* Host is present::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_header_names; \
|
|
|
|
|
content:"|0d 0a 0d 0a|Host|0d 0a 0d 0a|"; sid:1;)
|
|
|
|
|
|
|
|
|
|
Example to make sure *User-Agent* is directly after *Host*::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_header_names; \
|
|
|
|
|
content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|"; sid:1;)
|
|
|
|
|
|
|
|
|
|
Example to make sure *User-Agent* is after *Host*, but not necessarily directly after::
|
|
|
|
|
|
|
|
|
|
alert http any any -> any any (http_header_names; \
|
|
|
|
|
content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \
|
|
|
|
|
distance:-2; sid:1;)
|
|
|
|
|
|
|
|
|
|
http_client_body
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
8 years ago