pkt_data rule option sets the detection cursor to the start of normalized packet data.
Rules that do not include any buffer specifiers will check payload options against the
pkt_data buffer by default. However, one might want to use the
pkt_data buffer explicitly either for clarification purposes, or to return the cursor to normalized packet data after using some other sticky buffer.
It's important to note that unless
search_engine.detect_raw_tcp is set to
true in one's Snort configuration, not everything from a packet's payload gets placed in the
pkt_data buffer. For example, if Snort detects traffic as HTTP, then elements like the URI and headers would not placed in a
pkt_data buffer. Therefore, users will want to use this buffer to detect normalized packet payload bytes that are not available for detection in other buffers (such as
search_engine.detect_raw_tcp configuration option is set to
false by default for performance reasons.
pkt_data; content:"pizza", depth 5;
pkt_data; content:"AAAAAA"; bufferlen:>1000;