This rule constrains the search for the pattern "Not Found" to the extracted Status Message field of a HTTP server response.
alert tcp any any -> any 80 (content:"ABC"; content:"Not Found"; http_stat_msg;)
|
Note:
The http_stat_msg modifier is not allowed to be used with the rawbytes or fast_pattern modifiers for the same content.
|