pkt_data and file_data
**pkt\_data** and **file\_data** are generally written in front of the detection item, and are used to declare the detection content of the subsequent detection item, which is the traffic content (**pkt\_data**) or file content (**file\_data**). By default, the content to be detected is traffic content (**pkt\_data**). Example: > flow: from\_server, message; <font color =red>pkt\_data;</font> content:"test1"; http\_uri; content:"test2"; http\_host; <font color = red>file\_data;</font> content:"test3"; This signature indicates that, within the message detection scope, the **test1** feature string in the HTTP URI field, **test2** feature string in the Host field of the HTTP header, and **test3** feature string in the HTTP file payload are matched. For the preceding rules, only one **pkt\_data** is declared for the first two detection items, and **pkt\_data** can modify all subsequent detection items. When the detection content needs to be switched, for example, from traffic to file, declare the new detection scope (**file\_data**). The content in file detection will be described in detail in the chapter of file data detection.