.where modifier is used to specify signature search area:
.where=<MODE>;
where <MODE> can take following values:
|
Name |
Description |
|---|---|
|
packet_origin |
Search area is the whole packet without a protocol decoder. |
|
uri |
Search area is URI field of HTTP header. |
|
host |
Search area for HTTP session is the Host field (before line breaks). |
|
body |
Search area is the body of HTTP packets. |