The http_cookie keyword is a content modifier that restricts the search to the extracted Cookie Header field (excluding the header name itself and the CRLF terminating the header line) of a HTTP client request or a HTTP server response (per the configuration of HttpInspect 2.2.6). The Cookie buffer does not include the header names (Cookie: for HTTP requests or Set-Cookie: for HTTP responses) or leading spaces and the CRLF terminating the header line. These are included in the HTTP header buffer.
As this keyword is a modifier to the previous content keyword, there must be a content in the rule before http_cookie is specified. This keyword is dependent on the enable_cookie config option. The Cookie Header field will be extracted only when this option is configured. If enable_cookie is not specified, the cookie still ends up in HTTP header. When enable_cookie is not specified, using http_cookie is the same as using http_header.
The extracted Cookie Header field may be NORMALIZED, per the configuration of HttpInspect (see 2.2.6).