<action> <proto> <src_ip> <src_port> <dir> <dst_ip> <dst_port> ( <option:value>; ... )
| Option | Purpose |
|---|---|
msg:"..." | Alert message text |
flow:to_server,established | Direction + TCP state |
http_uri | Restrict next content/pcre to URI buffer |
http_header | Restrict to header buffer |
http_method | Restrict to method (GET/POST) |
content:"..." | Substring match (case-sensitive) |
content:"...";nocase | Case-insensitive |
pcre:"/.../i" | Regex |
sid:N | Rule ID (≥1000000 for local) |
rev:N | Revision |
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"sqlmap UA"; flow:to_server,established; http_header; content:"User-Agent: sqlmap"; sid:1000100; rev:1;)
Submit your rule on a single line — exactly matching the canonical format described in the left pane.