Determine if python code was sent through port 80

edit

Hello,

I'm looking at a pcap where a connection was made through port 80 using http protocol. I plan on writing a snort rule that checks to see if a python script was sent in the contents of a packet rather than regular html (or anything to display a webpage). Is there any way I can determine if a script was sent without completely analyzing the contents of a packet manually? I would rather not use machine learning for this so I'm wondering if there a discrete way I can figure out if a script was sent.

The reason why I want to do this is to see if attackers are sending commands to malware through this port.

Thanks