Search code examples
network-programmingtcppacketsnort

Something like |01 00 01 00| in the tcp packet about the snort rule?

This is a snort rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; nocase; distance:0; content:"|01 00 01 00|"; distance:3; within:4; content:"|2C|"; distance:0; content:"|01 00 01 00|"; distance:4; within:4; classtype:misc-activity; sid:2925; rev:2;)

From the alert name, I can see it seems to preventing receive html code including 0x0 gif to avoid the bandwidth depletion. I just want to know what is something like |01 00 01 00| here. Please tell me to help me have a better understand of the whole rule.

Solution

  • |01 00 01 00| is width and height value of the GIF.

    content:"|01 00 01 00|"; distance:3; within:4; matched 4bytes after GIF89a

    enter image description here

    enter image description here

    enter image description here

    Good luck~