I am new to IDS signature tuning. So while studying signatures ; in the signatures I come across the section 'CONTENT' based on which the signature triggers alert. Now when I see something in content (example below); how to decipher the same ?
content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"
If you were alerted with a content match of
|00 00|
That means the network packet data contained in its bytes00 00
.|47 45 54|
would be a content match ofGET
in a packet.