HTTP content and protected_content Keyword Arguments
HTTP URI
Select this option to search for content matches in the normalized request URI field.
Note that you cannot use this option in combination with the
pcre
keyword HTTP URI (U) option to search the same
content.
Note | A pipelined HTTP request packet contains multiple URIs. When HTTP URI is selected and the rules engine detects a pipelined HTTP request packet, the rules engine searches all URIs in the packet for a content match. |
HTTP Raw URI
Select this option to search for content matches in the normalized request URI field.
Note that you cannot use this option in combination with the
pcre
keyword HTTP URI (U) option to search the same
content.
Note | A pipelined HTTP request packet contains multiple URIs. When HTTP URI is selected and the rules engine detects a pipelined HTTP request packet, the rules engine searches all URIs in the packet for a content match. |
HTTP Method
Select this option to search for content matches in the request method field, which identifies the action such as GET and POST to take on the resource identified in the URI.
HTTP Header
Select this option to search for content matches in the normalized header field, except for cookies, in HTTP requests; also in responses when the HTTP Inspect preprocessor Inspect HTTP Responses option is enabled.
Note that you cannot use this option in combination with the
pcre
keyword HTTP header (H) option to search the same
content.
HTTP Raw Header
Select this option to search for content matches in the raw header field, except for cookies, in HTTP requests; also in responses when the HTTP Inspect preprocessor Inspect HTTP Responses option is enabled.
Note that you cannot use this option in combination with the
pcre
keyword HTTP raw header (D) option to search the
same content.
HTTP Cookie
Select this option to search for content matches in any cookie identified in a normalized HTTP client request header; also in response set-cookie data when the HTTP Inspect preprocessor Inspect HTTP Responses option is enabled. Note that the system treats cookies included in the message body as body content.
You must enable the HTTP Inspect preprocessor Inspect HTTP Cookies option to search only the cookie for a match; otherwise, the rules engine searches the entire header, including the cookie.
Note the following:
-
You cannot use this option in combination with the
pcre
keyword HTTP cookie (C) option to search the same content. -
The
Cookie:
andSet-Cookie:
header names, leading spaces on the header line, and theCRLF
that terminates the header line are inspected as part of the header and not as part of the cookie.
HTTP Raw Cookie
Select this option to search for content matches in any cookie identified in a raw HTTP client request header; also in response set-cookie data when the HTTP Inspect preprocessor Inspect HTTP Responses option is enabled; note that the system treats cookies included in the message body as body content.
You must enable the HTTP Inspect preprocessor Inspect HTTP Cookies option to search only the cookie for a match; otherwise, the rules engine searches the entire header, including the cookie.
Note the following:
-
You cannot use this option in combination with the
pcre
keyword HTTP raw cookie (K) option to search the same content. -
The
Cookie:
andSet-Cookie:
header names, leading spaces on the header line, and theCRLF
that terminates the header line are inspected as part of the header and not as part of the cookie.
HTTP Client Body
Select this option to search for content matches in the message body in an HTTP client request.
Note that for this option to function, you must specify a value of 0 to 65535 for the HTTP Inspect preprocessor HTTP Client Body Extraction Depth option.
HTTP Status Code
Select this option to search for content matches in the 3-digit status code in an HTTP response.
You must enable the HTTP Inspect preprocessor Inspect HTTP Responses option for this option to return a match.
HTTP Status Message
Select this option to search for content matches in the textual description that accompanies the status code in an HTTP response.
You must enable the HTTP Inspect preprocessor Inspect HTTP Responses option for this option to return a match.