raw_data

The raw_data rule option in Snort 3 replaces the old rawbytes keyword from Snort 2, and it sets the cursor to raw packet data. It is different from pkt_data in that it will ignore certain preprocessing and normalization done by Snort.

Note: This option will likely not be used often as it was introduced in Snort 2 to remediate Telnet-related issues back in the day.

Format:

raw_data;

Examples:

# telnet NOP
raw_data;
content:"|FF F1|";