Hello Wu,

Thank you for reaching out to the Snort.

Regarding your questions we want to explain and give some recommendations.

For configuration check you need use the next option "--dump-config-text instead of "--help-config" because of:

--help-config - Shows available configuration options and their descriptions (help/documentation).

--dump-config-text - Dumps the actual loaded configuration values.

Doc page: https://github.com/snort3/snort3/blob/master/doc/user/dump_config.txt

According to your traffic, "/index.php" is present in the URI (like GET /index.php), but your rule won't detect it there. The "pkt_data" option searches in the message body, not in the URI itself. This means your rule will only trigger if "/index.php" also appears in the body content, which it doesn't in your case. 
This happens because if you use, mixing "http_header" with "pkt_data" (which inspects body content) creates a conflict in how the rule processes the traffic.
To resolve this, either use "http_uri" instead of "pkt_data" to inspect the URI or remove the "http_header" option to avoid section conflicts. Also, you can split into separate rules if you intend to inspect both sections independently.

Doc page: https://docs.snort.org/rules/options/payload/http/uri

Recommended rules:

alert http any any -> any $HTTP_PORTS ( msg:"check pkt_data-3"; http_header; content:"Accept-Encoding: gzip"; http_uri; content:"/index.php"; sid:10001003; rev:1; )

Best regards,
Viktor


Get Outlook for Mac

From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of 吴超 via Snort-users <snort-users@lists.snort.org>
Date: Tuesday, 13 January 2026 at 20:27
To: snort-users@lists.snort.org <snort-users@lists.snort.org>
Subject: [Snort-users] How to support keyword 'pkt_data' in snort rules

Hi Snort experts,

I have a question when using 'pkt_data' keyword in snort rules.
According to https://docs.snort.org/rules/options/payload/pkt_data, I need to set 'search_engine.detect_raw_tcp' to true to support 'pkt_data' in sonrt rules. 
But after I added this setting to configuration, it seems not working. 
Pls help to check why the configuration not chenged in my working env, Thanks

The snort version is v3.7.4.0. Here is what I tried:
(1) add change to snort.lua file:
    add "include('max_datect.lua')" or "search_engine.detect_raw_tcp = true" or "search_engine = { detect_raw_tcp = true }"
(2) add parameter in command
    add "--lua 'search_engine.detect_raw_tcp = true'" or "--tweaks max_detect"
After doing above, I checked configuration by using "--help-config search_engine |grep tcp", and get the output:
    bool search_engine.detect_raw_tcp = false: detect on TCP payload before reassembly

I also checked with some simple pcap with following snort rules, and seems no matter how the configuration changed, the 3rd rule(with 'pkt_data' in rule) never matched:
    alert tcp any any -> any $HTTP_PORTS ( msg:"check pkt_data-1"; content:"/index.php"; content:"Accept-Encoding: gzip"; sid:10001001; rev:1; )
    alert tcp any any -> any $HTTP_PORTS ( msg:"check pkt_data-2"; http_uri; content:"/index.php"; http_header; content:"Accept-Encoding: gzip"; sid:10001002; rev:1; )
    alert tcp any any -> any $HTTP_PORTS ( msg:"check pkt_data-3"; http_header; content:"Accept-Encoding: gzip"; pkt_data; content:"/index.php"; sid:10001003; rev:1; )
The pcap is attached to the mail.

Best Regards,
Wu Chao