HTTP-keywords

There are some more content modifiers (If you are unfamiliar with content modifiers, please visit the page Payload keywords). These ones make sure the signature checks a specific part of the network-traffic. For instance, to check specific on uri, cookies, HTTP body etcetera.

Use http_method to match on the HTTP method, http_uri or http_raw_uri to match on uri, http_stat_code to match on response code and http_stat_msg to match on response message.

It is important to know a bit more about HTTP requests and responses.
A simple example of a HTTP request and-response:

HTTP-request

GET /index. html/ HTTP/1.0\r\n

GET is a method. Methods are: GET, POST, PUT, HEAD etcetera. The uri is /index.html and HTTP/1.0 the HTTP-version. Of the versions 0.9, 1.0, 1.1; 1.0 and 1.1 are the most commonly used.

HTTP-response

HTTP/1.0 200 OK\r\n
<html>
<title> some page </title>
</HTML>

HTTP/1.0 is the HTTP-version, 200 the response-code and OK the response-message.

Another more detailed example:

Request:

Response:

Request:

Although cookie is a header, you can not match on it with http_header. It has its own keyword, namely; http_cookie.

Each part of the table belongs to a so-called 'buffer'. So, the HTTP-method belongs to the method-buffer, HTTP-headers to the header buffer etc.. A buffer is a part that Suricata keeps in memory.
All previous described keywords can be used in combination with a buffer in a signature. The keywords distance and within are relative so these ones you can only use within the same buffer. You can not relate different buffers with relative keywords.

http_method

With the http_method content modifier, it is possible to match specifically and only on the method-buffer. The keyword can be used in combination with all previous mentioned content modifiers like: depth, distance, offset, nocase and within.
Methods are: GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.
Example of a method in a HTTP-request:

Example of the purpose of method:

http_uri and http_raw_uri

With the http_uri and the http_raw_uri content modifiers, it is possible to match specifically and only on the uri-buffer. The keyword can be used in combination with all previous mentioned content modifiers like: depth, distance, offset, nocase and within.
To know more about the difference between http_uri and http_raw_uri, please read the information about HTTP-uri normalization.

Example of uri in a HTTP-request:

Example of the purpose of http_uri:

Example of the purpose of http_raw_uri:

uricontent

The uricontent keyword has the exact same effect as the http_uri keyword. This is the deprecated, but still supported, way to match specifically and only on the uri-buffer.

Example of uricontent:

The difference between http_uri and uricontent is the syntax:

http_header

With the http_header content modifier it is possible match specifically and only on the header-buffer. The keyword can be used in combination with all previous mentioned content modifiers like:depth, distance, offset, nocase and within.

Note: the header is normalized. Any trailing whitespace and tab characters are removed. See: http://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-October/000935.html

Example of a header in a HTTP-request:

Example of the purpose of http_header:

http_cookie

With the http_cookie content modifier it is possible match specifically and only on the cookie-buffer. The keyword can be used in combination with all previous mentioned content modifiers like: depth, distance, offset, nocase and within.
Note that a cookie is a header but has its own keyword.

Example of a cookie in a HTTP-request:

Example of the purpose of http_cookie:

http_user_agent

The http_user_agent content modifier is part of the HTTP-header. It makes it possible to match specifically on the value of the User-Agent header. It does not include the "User-Agent: " header name and separator, nor does it contain the trailing new line and carriage return. The keyword can be used in combination with all previous mentioned content modifiers like: depth, distance, offset, nocase and within. pcre can also inspect this buffer with the /V modifier.

An analysis into performance of http_user_agent vs http_header: http://blog.inliniac.net/2012/07/09/suricata-http_user_agent-vs-http_header/

Normalization: leading spaces are not part of this buffer. So "User-Agent: \r\n" will result in an empty http_user_agent buffer.

Example of the User-Agent in a HTTP-request

Example of the purpose of http_user_agent:

http_client_body

With the http_client_body content modifier it is possible match specifically and only on the request-body. The keyword can be used in combination with all previous mentioned content modifiers like: distance, offset, nocase, within etcetera.

Example of client_body in a HTTP-request:

Example of the purpose of client_body:

Note: how much of the request/client body is inspected is controlled in your suricata.yaml, in the "libhtp" section, The request-body-limit setting.

http_stat_code

With the http_stat_code content modifier it is possible match specific and only on the stat-code-buffer. The keyword can be used in combination with all previous mentioned content modifiers like: distance, offset, nocase, within etcetera.

Example of http_stat_code in a HTTP-response:

Example of the purpose of http_stat_code:

http_stat_msg

With the http_stat_msg content modifier it is possible match specific and only on the stat-msg-buffer. The keyword can be used in combination with all previous mentioned content modifiers like: depth, distance, offset, nocase and within.

Example of http_stat_msg in a HTTP-response:

Example of the purpose of http_stat_msg:

http_server_body

With the http_server_body content modifier it is possible match specifically and only on the response-body. The keyword can be used in combination with all previous mentioned content modifiers like: distance, offset, nocase, within etcetera.

Note: how much of the response/server body is inspected is controlled in your suricata.yaml, in the "libhtp" section, The response-body-limit setting.

file_data

With file_data the HTTP response body is inspected, just like with http_server_body. The file_data keyword works a bit different from the normal content modifiers. When used in a rule all contents following it are affected by it.
Example:

alert http any any -> any any (file_data; content:"abc"; content:"xyz";)

The file_data keyword affects all following contents, until pkt_data is used or it reaches the end of the rule.

Note: how much of the response/server body is inspected is controlled in your suricata.yaml, in the "libhtp" section, The response-body-limit setting.

Urilen

The keyword urilen is used to match on the length of the uri. It is possible to use < and > which indicate respectively smaller and bigger than.
The format of urilen is:

urilen:3;

Other possibilities are:


urilen:1;
urilen:>1;
urilen:<10;
urilen:10<>20;    (bigger than 10, smaller than 20)


Example:

Example of urilen in a signature:

pcre

For information about pcre check the pcre (Perl Compatible Regular Expressions) page.

fast_pattern

For information about fast_pattern check the fast_pattern page.

method2.png (18.2 KB) Anne-Fleur Koolstra, 04/23/2011 07:17 AM

method1.png (23.8 KB) Anne-Fleur Koolstra, 04/23/2011 07:18 AM

uri1.png (4.9 KB) Anne-Fleur Koolstra, 04/23/2011 07:19 AM

header.png (16 KB) Anne-Fleur Koolstra, 04/23/2011 07:28 AM

header1.png (37.3 KB) Anne-Fleur Koolstra, 04/23/2011 07:29 AM

cookie.png (39.5 KB) Anne-Fleur Koolstra, 04/23/2011 07:29 AM

cookie1.png (47.2 KB) Anne-Fleur Koolstra, 04/23/2011 07:29 AM

client_body.png (17.7 KB) Anne-Fleur Koolstra, 04/23/2011 07:30 AM

client_body1.png (38.3 KB) Anne-Fleur Koolstra, 04/23/2011 07:30 AM

stat_code.png (2.24 KB) Anne-Fleur Koolstra, 04/23/2011 07:30 AM

stat-code1.png (24.7 KB) Anne-Fleur Koolstra, 04/23/2011 07:31 AM

stat_msg.png (1.96 KB) Anne-Fleur Koolstra, 04/23/2011 07:31 AM

stat_msg_1.png (24.5 KB) Anne-Fleur Koolstra, 04/23/2011 07:31 AM

fast_pattern.png (11.5 KB) Anne-Fleur Koolstra, 04/23/2011 07:31 AM

urilen.png (25.8 KB) Anne-Fleur Koolstra, 04/23/2011 07:32 AM

urilen1.png (48.5 KB) Anne-Fleur Koolstra, 04/23/2011 07:33 AM

Legenda_rules.png (13.2 KB) Anne-Fleur Koolstra, 04/23/2011 07:43 AM

method.png (15.3 KB) Anne-Fleur Koolstra, 04/27/2011 05:39 AM

uri.png (22.6 KB) Anne-Fleur Koolstra, 09/20/2011 09:56 AM

user_agent.png (29.4 KB) Anne-Fleur Koolstra, 01/31/2013 09:19 AM

user_agent_match.png (264 KB) Anne-Fleur Koolstra, 02/01/2013 10:16 AM

request.png (68.8 KB) Anne-Fleur Koolstra, 02/05/2013 10:41 AM

request2.png (48.5 KB) Anne-Fleur Koolstra, 02/05/2013 10:41 AM

file_data.png (11.6 KB) Anne-Fleur Koolstra, 02/05/2013 11:01 AM

response1.png (78.5 KB) Anne-Fleur Koolstra, 02/07/2013 08:13 AM

http_server_body.png (8.97 KB) Anne-Fleur Koolstra, 02/07/2013 08:58 AM

uricontent.png (52 KB) Anne-Fleur Koolstra, 04/11/2013 10:36 AM

uricontent1.png (6.12 KB) Anne-Fleur Koolstra, 04/11/2013 11:06 AM

http_uri.png (53.6 KB) Anne-Fleur Koolstra, 04/11/2013 11:16 AM