类似于 |01 00 01 00|在关于 snort 规则的 tcp 数据包中?
Something like |01 00 01 00| in the tcp packet about the snort rule?
这是一条 Snort 规则:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; nocase; distance:0; content:"|01 00 01 00|"; distance:3; within:4; content:"|2C|"; distance:0; content:"|01 00 01 00|"; distance:4; within:4; classtype:misc-activity; sid:2925; rev:2;)
从警报名称中,我可以看出它似乎阻止接收包含 0x0 gif 的 html 代码以避免带宽耗尽。我只想知道这里的 |01 00 01 00| 是什么东西。请告诉我,帮助我更好地理解整个规则。
|01 00 01 00|为GIF的宽高值。
content:"|01 00 01 00|"; distance:3; within:4; 匹配 GIF89a
后的 4 个字节
祝你好运~
这是一条 Snort 规则:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; nocase; distance:0; content:"|01 00 01 00|"; distance:3; within:4; content:"|2C|"; distance:0; content:"|01 00 01 00|"; distance:4; within:4; classtype:misc-activity; sid:2925; rev:2;)
从警报名称中,我可以看出它似乎阻止接收包含 0x0 gif 的 html 代码以避免带宽耗尽。我只想知道这里的 |01 00 01 00| 是什么东西。请告诉我,帮助我更好地理解整个规则。
|01 00 01 00|为GIF的宽高值。
content:"|01 00 01 00|"; distance:3; within:4; 匹配 GIF89a
祝你好运~