content
The first option we will discuss is content, which is used to perform basic pattern matching against packet data. This option is declared with the content keyword, followed by a : character, and lastly followed the content string enclosed in double quotes. Matches can also be "negated" with a ! character immediately after the colon, telling Snort only to handle packets that do not contain some string or hex sequence.
Content matches can contain ASCII strings, hex bytes, or a mix of both. Hex bytes must be enclosed in | characters.
A rule can contain multiple content matches, and each match is evaluated in the order they are declared in the rule (except fast_pattern matches, which is discussed in the next chapter). This means of course that Snort will continue checking subsequent matches against packet data as long as the content checks continue to pass. As a result, it's often times beneficial to place the most unique sequence of mathces towards the top of the rule to allow Snort the opportunity to exit processing early.
Format:
content:[!]"content_string";Examples:
# Simple ascii string match
content:"USER root";
# Combining of ascii characters and hex bytes
content:"PK|03 04|";
Note: Certain characters must be either escaped (with '\' characters) or encoded in hex. These are: ';', '\', and '"'.
Content match modifiers
Snort content matches can be written with option modifiers to set additional evaluation requirements for a given content match, offering users greater specificity when defining rule parameters.
These modifiers include fast_pattern, nocase, within, distance, offset, and depth, and they are written alongside the content string, separated by commas. Certain modifiers also require "arguments" that define the parameters to go along with them.
Format:
, content_modifer [content_modifer_argument]Examples:
content:"pizza", nocase;
content:"cheese";
content:" pizza", within 6;
We will talk about each one content match modifier in depth in the ensuing sections, starting with the fast_pattern option.