Content conditions are defined by regular expressions. We differentiate two
kinds of content conditions: first, the expression may be declared with the
payload
statement, in which case it is matched against the raw
payload of a connection (for reassembled TCP streams) or of a each packet.
Alternatively, it may be prefixed with an analyzer-specific label, in which
case the expression is matched against the data as extracted by the
corresponding analyzer.
A payload
condition has the form
payload /
regular expression/
Currently, the following analyzer-specific content conditions are defined (note that the corresponding analyzer has to be activated by loading its policy script):
http-request
/regular expression/http-request-header
/regular expression/ http-reply-header
/regular expression/ ftp
/regular expression/ finger
/regular expression/For example, http /(etc/(passwd|shadow)/
matches any URI
containing either etc/passwd
or etc/shadow
.