Project

General

Profile

Actions

Documentation #6924

closed

replicate http.cookie behavior from "Differences From Snort" to http.cookie

Added by Brandon Murphy 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

this section/note of http.cookie behavior only exists with the "differences from snort" section of docs

https://docs.suricata.io/en/latest/rules/differences-from-snort.html#http-cookie-buffer

If a request contains multiple "Cookie" or "Set-Cookie" headers, the values will be concatenated in the Suricata http_cookie buffer, in the order seen from top to bottom, with a comma and space (", ") between each of them.

Other keywords that exhibit the same behavior have notes on them within the keyword specific section (https://docs.suricata.io/en/latest/rules/http-keywords.html#http-header-and-http-header-raw)

Actions

Also available in: Atom PDF