Suricata

Recently we found a malware sample that uses the same http.uri within the referer. Here is an example of the http request:

GET /2e2f5d01e14520f5 HTTP/1.1
Referer: hxxps://malware[.]com/2e2f5d01e14520f5
Host: malware.com
Connection: Keep-Alive

As far as I can tell the only way to detect this is by using a buffer-less pcre or making use of byte_ keywords.
Here is an example of the pcre I used to detect this traffic.

/^GET\x20(?P<C2URI>\x2f[a-z0-9]{16})[\s\S]+Referer\x3a\x20https?\x3a\x2f\x2f[a-zA-Z0-9]+\x2e[a-zA-Z0-9]+(?P=C2URI)[\r\n]/

There are two possible solutions that I can think of:

1. Implement a http.request buffer that includes the request line and all of the http headers.

2. Allow cross buffer matching and essentially store buffer content matches in a variable. i.e. for this example you could do something like this and perform content match of the value of http.uri;

... http.uri; pcre:"/^\x2f[a-z0-9]{16}$/"; http.referer; content:http.uri; endswith