This rule constrains the search for the pattern "200" to the extracted Status Code field of a HTTP server response.
alert tcp any any -> any 80 (content:"ABC"; content:"200"; http_stat_code;)
|
Note:
The http_stat_code modifier is not allowed to be used with the rawbytes or fast_pattern modifiers for the same content.
|