Overview: HTTP content and protected_content Keyword Arguments

HTTP content or protected_content keyword options let you specify where to search for content matches within an HTTP message decoded by the HTTP Inspect preprocessor.

Two options search status fields in HTTP responses:

  • HTTP Status Code

  • HTTP Status Message

Note that although the rules engine searches the raw, unnormalized status fields, these options are listed here separately to simplify explanation below of the restrictions to consider when combining other raw HTTP fields and normalized HTTP fields.

Five options search normalized fields in HTTP requests, responses, or both, as appropriate :

  • HTTP URI

  • HTTP Method

  • HTTP Header

  • HTTP Cookie

  • HTTP Client Body

Three options search raw (unnormalized) non-status fields in HTTP requests, responses, or both, as appropriate:

  • HTTP Raw URI

  • HTTP Raw Header

  • HTTP Raw Cookie

Use the following guidelines when selecting HTTP content options:

  • HTTP content options apply only to TCP traffic.

  • To avoid a negative impact on performance, select only those parts of the message where the specified content might appear.

    For example, when traffic is likely to include large cookies such as those in shopping cart messages, you might search for the specified content in the HTTP header but not in HTTP cookies.

  • To take advantage of HTTP Inspect preprocessor normalization, and to improve performance, any HTTP-related rule you create should at a minimum include at least one content or protected_content keyword with an HTTP URI, HTTP Method, HTTP Header, or HTTP Client Body option selected.

  • You cannot use the replace keyword in conjunction with HTTP content or protected_content keyword options.

You can specify a single normalized HTTP option or status field, or use normalized HTTP options and status fields in any combination to target a content area to match. However, note the following restrictions when using HTTP field options:

  • You cannot use the Raw Data option together in the same content or protected_content keyword with any HTTP option.

  • You cannot use a raw HTTP field option (HTTP Raw URI, HTTP Raw Header, or HTTP Raw Cookie) together in the same content or protected_content keyword with its normalized counterpart (HTTP URI, HTTP Header, or HTTP Cookie, respectively).

  • You cannot select Use Fast Pattern Matcher in combination with one or more of the following HTTP field options:

    HTTP Raw URI, HTTP Raw Header, HTTP Raw Cookie, HTTP Cookie, HTTP Method, HTTP Status Message, or HTTP Status Code

    However, you can include the options above in a content or protected_content keyword that also uses the fast pattern matcher to search one of the following normalized fields:

    HTTP URI, HTTP Header, or HTTP Client Body

    For example, if you select HTTP Cookie, HTTP Header, and Use Fast Pattern Matcher, the rules engine searches for content in both the HTTP cookie and the HTTP header, but the fast pattern matcher is applied only to the HTTP header, not to the HTTP cookie.

  • When you combine restricted and unrestricted options, the fast pattern matcher searches only the unrestricted fields you specify to test whether to pass the rule to the intrusion rules editor for complete evaluation, including evaluation of the restricted fields.