Hello,
i tried to create a mangle rule that should mark connection that contains a string (this string is on “content” attribute).
This connection is routed to a local gateway in the same subnet.
The connection is marked but the connection is not working well.
It seems to be srcnatted because i can see as reply dst address the IP of the PPPOE-OUT interface.
If i try to mark connection using dst address, the connection is routed and working well.
Do i need to put other rule to make the rule work with “content” attribute?
Search threads for blocking ssh or login attempts. A chap wrote a script that he/she uses to detect something similar to what you are asking in terms of detecting strings or something.
I wish I knew how ti interpret the script because it has promise for many types of applications.
Found it… check out the script presented it may give you some ideas
http://forum.mikrotik.com/t/firewall-rule-for-remote-connection-ts/127931/3
Hello
That guy wants to detect string in the logs.
I want to mark for example all connections that has a string in the URL and route them to specific local gateway but seems that using “content” tag it doesn’t mark the connection in time
Nobody can help me about this issue?
Wish I could help, but I can hardly even spell skwipt… see!! 
The best hope is for me to start cwying…sniff sniff sob…
You can route a connection with some content somewhere else, as long as the content is in very first packet of that connection. Which rules out all tcp connections, because they start with SYN paket that doesn’t contain anything useful. You can start routing packets elsewhere later, when content comes, but it would only work with redundant routes without any stateful filters, which is probably not what you have.