This rule constrains the search for the pattern "EFG" to the extracted Unnormalized Cookie Header field of a HTTP client request.
alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_raw_cookie;)
|
Note:
The http_raw_cookie modifier is not allowed to be used with the rawbytes, http_cookie or fast_pattern modifiers for the same content.
|