This rule constrains the search for the pattern "EFG" to the extracted Header fields of a HTTP client request or a HTTP server response.
alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_header;)
|
Note:
The http_header modifier is not allowed to be used with the rawbytes modifier for the same content.
|