This test is case sensitive.
The option data for the content keyword is somewhat complex; it can contain mixed text and binary data.
The binary data is generally enclosed within the pipe (|) character and represented as bytecode. Bytecode represents binary data as hexadecimal numbers and is a good shorthand method for describing complex binary data.
Multiple content rules can be specified in one rule. This allows rules to be tailored for less false positives.
The following characters must be escaped inside a content rule: : ; \ "
If the rule is preceded by a !, the alert will be triggered on packets that do not contain this content.
This is useful when writing rules that want to alert on packets that do not match a certain pattern
alert tcp any any -> 192.168.1.0/24 143 (content:"|90C8 C0FF FFFF|/bin/sh"; msg:"IMAP buffer overflow!";) # illustrates mixed bytecode and test
alert tcp any any -> 192.168.1.0/24 21 (content: !"GET"; depth: 3; nocase; dsize: >100; msg: "Long Non-Get FTP command!";) # illustrates negation
Implementation need to split the byte code non bytecode - keep a array of individual strings. then de-escape the escaped chars, stitch together on the regular strings, convert the bytecodes, join together.
How is escaped 0 dealt with? it must be byte code, since otherwise the original string would be broken. 30mins
Definition at line 317 of file rlp.h.