Suricata

It would be useful to have these as sticky buffers

Given the following headers...

HTTP/1.1 302 Moved Temporarily
Date: Mon, 01 Dec 2017 14:19:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Location: https://www.awebsiteforyou.cf/This/isntreal.aspx?flag=1
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

If we wanted to write a rule on the junk tld in location, we currently have to do...

content:"Location|3a 20|"; http_header; pcre:"/^[^\r\n]+\.cf\//HRi";

Would be nice to do something like

http_location; content:".cf/";

Also, it would be nice to have the server as a buffer as we have to rely on http_header here as well.

content:"|0d 0a|Server|3a 20|Apache"; http_header;

http_server; content:"Apache"; depth:6;