pkt_data

The pkt_data rule option sets the detection cursor to the start of normalized packet data.

Rules that do not include any buffer specifiers will check payload options against the pkt_data buffer by default. However, one might want to use the pkt_data buffer explicitly either for clarification purposes, or to return the cursor to normalized packet data after using some other sticky buffer.

It's important to note that unless search_engine.detect_raw_tcp is set to true in one's Snort configuration, not everything from a packet's payload gets placed in the pkt_data buffer. For example, if Snort detects traffic as HTTP, then elements like the URI and headers would not placed in a pkt_data buffer. Therefore, users will want to use this buffer to detect normalized packet payload bytes that are not available for detection in other buffers (such as http_* buffers).

This search_engine.detect_raw_tcp configuration option is set to false by default for performance reasons.

Format:

pkt_data;

Examples:

pkt_data;
content:"pizza", depth 5;

pkt_data;
content:"AAAAAA";
bufferlen:>1000;

Snort 3 Rule Writing Guide

pkt_data

Format:

Examples: