-1
这是Snort规则:类似于| 01 00 01 00 |在关于snort规则的tcp数据包中?
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; nocase; distance:0; content:"|01 00 01 00|"; distance:3; within:4; content:"|2C|"; distance:0; content:"|01 00 01 00|"; distance:4; within:4; classtype:misc-activity; sid:2925; rev:2;)
从警报名称,我可以看到它似乎阻止接收HTML代码,包括为0x0 GIF,避免带宽消耗。我只想知道|01 00 01 00|这里有什么东西。请告诉我帮助我更好地理解整个规则。
