I am new to IDS signature tuning. So while studying signatures ; in the signatures I come across the section 'CONTENT' based on which the signature triggers alert. Now when I see something in content (example below); how to decipher the same ?
content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"
If you were alerted with a content match of |00 00|
That means the network packet data contained in its bytes 00 00.
|47 45 54| would be a content match of GET in a packet.
If it is Suricata you are lookign into, then there documentation mentions that any hexadecimal value should be placed within pipes.
To write for instance http:// in the content of a signature, you should write it like this: content: “http|3A|//”; If you use a heximal notation in a signature, make sure you always place it between pipes. Otherwise the notation will be taken literally as part of the content.
Going with that, you can decipher that the content has 00 in pipes in multiple places. Therefore, content string actually translates to "xp_cmdshell"
If you want to find out where in the packet it is matching, you need to provide more details from the alert.
