alert tcp any any -> 192.168.19.132 80 (msg: "Possible attack"; flow:to_server; sid:100000012; content:"1",nocase; )
alert tcp any any -> 192.168.19.132 80 (msg: "Possible attack"; flow:to_server; sid:100000013; content:"1%27",nocase;)
如上两条snort规则,在实际进行检测时,如果检测到 1%27 会同时触发content为1 和 1%27的警报,无法实现对content的内容的长度、字符等方面的完全精确匹配,可以通过修改snort规则中的content字段来精确匹配内容吗,比如改成正则表达?
我试过把content“1”改成“^1$”,但是不正确,无法检测出“1”了
alert tcp any any -> 192.168.19.132 80 (msg: "Possible attack"; flow:to_server; sid:100000012; content:"^1$";nocase ;)