Syntax Rules of content
**content** is used to specify the feature string to be detected. The threat feature string to be detected is written in double quotation marks (<font color =red>""</font>). When the user selects a **content** feature string, the length of the feature string must be greater than or equal to 3. Example: ``` content: "helloworld"; nocase; offset: 100; depth: 20; ``` This indicates that a maximum of 20 bytes can be matched from the 100th byte of the TCP/UDP Payload. In this range, the **helloworld** feature string is matched and is case-insensitive. Keywords supported by the **content** syntax | Keyword | Field Description | | ------------ | ------------------------------------------------------------ | | nocase | Case-insensitive when matching a specified feature string. | | offset | Start position for matching. | | depth | Matching depth. | | distance | Number of bytes offset before the matching, relative to the end position of the previous matching. | | within | Maximum matching byte depth relative to the end position of the previous matching. | | fast_pattern | Indicates that the feature string has the most obvious threat characteristics and is used for pre-filtering. | | [Protocol fields] | Modify **content**. If **content** specifies a protocol field, the system detects whether the content of the specified protocol field contains the feature string. If no protocol field is specified, the content of TCP/UDP Payload is detected by default. In a signature, up to 16 content detection items can be written in the same protocol field.For details about the supported protocol fields, see the chapter of protocol fields. | The **content** field is followed by a colon (<font color=red>**:**</font>) to carry the feature string to be matched, and double quotation marks (<font color=red>**""**</font>) are used to expand the feature string. If a feature string contains the following four symbols: colon (<font color=red>**:**</font>), semicolon (<font color=red>**;**</font>), backslash (<font color=red>**\\**</font>), and quotation mark (<font color=red>**"**</font> (quotation mark), write the symbols in escape mode, that is, add a backslash before each symbol, for example, <font color=red>**\:**</font>. Multiple modifiers can be added to the **content** field. The modifiers are separated using semicolons (<font color=red>**;**</font>). Each rule can contain multiple **content** fields. The content of a feature string can be represented in hexadecimal notation. For invisible characters, such as <font color=red>**<CR><LF>**</font> (carriage return and linefeed), they are generally represented in hexadecimal notation, as <font color=red>**|0d 0a|**</font>. We will describe the meaning and usage of each modifier field in detail in the following sections.