The pkt_data Keyword
The
pkt_data keyword provides a pointer that serves as a
reference for the positional arguments available for other keywords such as
content,
byte_jump,
byte_test, and
pcre.
When normalized FTP, telnet, or SMTP traffic is detected, the
pkt_data keyword points to the beginning of the
normalized packet payload. When other traffic is detected, the
pkt_data keyword points to the beginning of the raw TCP
or UDP payload.
The following normalization options must be enabled for the system to normalize the corresponding traffic for inspection by intrusion rules:
-
Enable the FTP & Telnet preprocessor Detect Telnet Escape codes within FTP commands option to normalize FTP traffic for inspection.
-
Enable the FTP & Telnet preprocessor Normalize telnet option to normalize telnet traffic for inspection.
-
Enable the SMTP preprocessor Normalize option to normalize SMTP traffic for inspection.
You can use multiple
pkt_data keywords in a rule.