[Snort-sigs] Matching host get and content

[James Lay]

Hey all,

I'm not even sure where to look for this, but in layman's terms I want 
to "match on http getting to a certain domain name and match some 
content within, only when the two match alert".  Is this a 
stream_reassemble thing?  Am I looking at something like:

flow:established,to_server; stream_reassemble;enable: content:bleh.com; 
http_header; content:stuffinpacket;

Thanks for any pointers.

James