This rule constrains the search for the pattern "EFG" to the raw body of an HTTP client request.
alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_client_body;)
| Note: The http_client_body modifier is not allowed to be used with the rawbytes modifier for the same content. |