Rlp_ContentAttribute_t Struct Reference

Content to test for. More...

#include <rlp.h>

Data Fields

bool negated

Detailed Description

Content to test for.

This test is case sensitive.

The option data for the content keyword is somewhat complex; it can contain mixed text and binary data.

The binary data is generally enclosed within the pipe (|) character and represented as bytecode. Bytecode represents binary data as hexadecimal numbers and is a good shorthand method for describing complex binary data.

Multiple content rules can be specified in one rule. This allows rules to be tailored for less false positives.

The following characters must be escaped inside a content rule: : ; \ "

If the rule is preceded by a !, the alert will be triggered on packets that do not contain this content.

This is useful when writing rules that want to alert on packets that do not match a certain pattern


  	alert tcp any any -> 143 (content:"|90C8 C0FF FFFF|/bin/sh"; msg:"IMAP buffer overflow!";)  # illustrates mixed bytecode and test

  	alert tcp any any -> 21 (content: !"GET"; depth: 3; nocase; dsize: >100; msg: "Long Non-Get FTP command!";) # illustrates negation 

Implementation need to split the byte code non bytecode - keep a array of individual strings. then de-escape the escaped chars, stitch together on the regular strings, convert the bytecodes, join together.

How is escaped 0 dealt with? it must be byte code, since otherwise the original string would be broken. 30mins

Definition at line 317 of file rlp.h.

Field Documentation

util_byte_array_t* Rlp_ContentAttribute_t::byteArray

Definition at line 319 of file rlp.h.

bool Rlp_ContentAttribute_t::negated

Definition at line 320 of file rlp.h.