content (string; Default: ) Match packets that contain specified text
Does somebody use this method of catching packets containing some words: e.g. facebook, youtube…does it work correctly? what is the successfulnes of catching packets this way? what is impact on resources consumption?
It works but also causes many false positives this way. It is better to block an IP range.
Totally agree, it creates a lot of false positives if not used carefully. If a particular word that you’re trying match with a rule is only mentioned once, it will already trigger that rule. That’s the downside of it.
what is it good for, to use it, which type of traffic?
commonly used on http traffic
what sentences you use to mark http?