**http.host==6san.com
\nhttp.host contains 6san.com
\n\/\/\u8fc7\u6ee4\u7ecf\u8fc7\u6307\u5b9a\u57df\u540d\u7684http\u6570\u636e\u5305\uff0c\u8fd9\u91cc\u7684host\u503c\u4e0d\u4e00\u5b9a\u662f\u8bf7\u6c42\u4e2d\u7684\u57df\u540d
\nhttp.response.code==302
\n\/\/\u8fc7\u6ee4http\u54cd\u5e94\u72b6\u6001\u7801\u4e3a302\u7684\u6570\u636e\u5305
\nhttp.response==1
\n\/\/\u8fc7\u6ee4\u6240\u6709\u7684http\u54cd\u5e94\u5305
\nhttp.request==1
\n\/\/\u8fc7\u6ee4\u6240\u6709\u7684http\u8bf7\u6c42\uff0c\u8c8c\u4f3c\u4e5f\u53ef\u4ee5\u4f7f\u7528http.request
\nhttp.request.method==POST
\n\/\/wireshark\u8fc7\u6ee4\u6240\u6709\u8bf7\u6c42\u65b9\u5f0f\u4e3aPOST\u7684http\u8bf7\u6c42\u5305\uff0c\u6ce8\u610fPOST\u4e3a\u5927\u5199
\nhttp.cookie contains guid
\n\/\/\u8fc7\u6ee4\u542b\u6709\u6307\u5b9acookie\u7684http\u6570\u636e\u5305
\nhttp.request.uri==\u201d\/online\/setpoint\u201d
\n\/\/\u8fc7\u6ee4\u8bf7\u6c42\u7684uri\uff0c\u53d6\u503c\u662f\u57df\u540d\u540e\u7684\u90e8\u5206
\nhttp.request.full_uri==\u201d http:\/\/task.browser.360.cn\/online\/setpoint\u201d
\n\/\/\u8fc7\u6ee4\u542b\u57df\u540d\u7684\u6574\u4e2aurl\u5219\u9700\u8981\u4f7f\u7528http.request.full_uri
\nhttp.server contains \u201cnginx\u201d
\n\/\/\u8fc7\u6ee4http\u5934\u4e2dserver\u5b57\u6bb5\u542b\u6709nginx\u5b57\u7b26\u7684\u6570\u636e\u5305
\nhttp.content_type == \u201ctext\/html\u201d
\n\/\/\u8fc7\u6ee4content_type\u662ftext\/html\u7684http\u54cd\u5e94\u3001post\u5305\uff0c\u5373\u6839\u636e\u6587\u4ef6\u7c7b\u578b\u8fc7\u6ee4http\u6570\u636e\u5305
\nhttp.content_encoding == \u201cgzip\u201d
\n\/\/\u8fc7\u6ee4content_encoding\u662fgzip\u7684http\u5305
\nhttp.transfer_encoding == \u201cchunked\u201d
\n\/\/\u6839\u636etransfer_encoding\u8fc7\u6ee4
\nhttp.content_length == 279
\nhttp.content_length_header == \u201c279\u201d
\n\/\/\u6839\u636econtent_length\u7684\u6570\u503c\u8fc7\u6ee4
\nhttp.server
\n\/\/\u8fc7\u6ee4\u6240\u6709\u542b\u6709http\u5934\u4e2d\u542b\u6709server\u5b57\u6bb5\u7684\u6570\u636e\u5305
\nhttp.request.version == \u201cHTTP\/1.1\u2033
\n\/\/\u8fc7\u6ee4HTTP\/1.1\u7248\u672c\u7684http\u5305\uff0c\u5305\u62ec\u8bf7\u6c42\u548c\u54cd\u5e94
\nhttp.response.phrase == \u201cOK\u201d
\n\/\/\u8fc7\u6ee4http\u54cd\u5e94\u4e2d\u7684phrase**<\/p>\n
1.
\n\u8fc7 \u6ee4
\nIP\uff0c\u5982\u6765\u6e90IP\u6216\u8005\u76ee\u6807IP\u7b49\u4e8e\u67d0\u4e2aIP<\/p>\n
\u4f8b\u5b50:
\nip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107
\n\u6216\u8005
\nip.addr eq 192.168.1.107 \/\/ \u90fd\u80fd\u663e\u793a\u6765\u6e90IP\u548c\u76ee\u6807IP<\/p>\n
2.
\n\u8fc7\u6ee4
\n\u7aef \u53e3<\/p>\n
\u4f8b\u5b50:
\ntcp.port eq 80 \/\/ \u4e0d\u7ba1\u7aef\u53e3\u662f\u6765\u6e90\u7684\u8fd8\u662f\u76ee\u6807\u7684\u90fd\u663e\u793a
\ntcp.port == 80
\ntcp.port eq 2722
\ntcp.port eq 80 or udp.port eq 80
\ntcp.dstport == 80 \/\/ \u53ea\u663etcp\u534f\u8bae\u7684\u76ee\u6807\u7aef\u53e380
\ntcp.srcport == 80 \/\/ \u53ea\u663etcp\u534f\u8bae\u7684\u6765\u6e90\u7aef\u53e380<\/p>\n
udp.port eq 15000<\/p>\n
\u8fc7\u6ee4
\n\u7aef\u53e3\u8303\u56f4
\ntcp.port >= 1 and tcp.port <= 80\n\n3.\n\u8fc7 \u6ee4\n\u534f\u8bae\n\n\u4f8b\u5b50:\ntcp\nudp\narp\nicmp\nhttp\nsmtp\nftp\ndns\nmsnms\nip\nssl\noicq\nbootp\n\u7b49 \u7b49\n\n\u6392\u9664arp\u5305\uff0c\u5982!arp \u6216\u8005 not arp\n\n4.\n\u8fc7 \u6ee4\nMAC\n\n\u592a\u4ee5\u7f51\u5934\n\u8fc7\u6ee4\n\neth.dst == A0:00:00:04:C5:84 \/\/\n\u8fc7\u6ee4\n\u76ee \u6807mac\neth.src eq A0:00:00:04:C5:84 \/\/\n\u8fc7 \u6ee4\n\u6765\u6e90mac\neth.dst==A0:00:00:04:C5:84\neth.dst==A0-00-00-04-C5-84\neth.addr eq A0:00:00:04:C5:84 \/\/\n\u8fc7\u6ee4\n\u6765 \u6e90MAC\u548c\u76ee\u6807MAC\u90fd\u7b49\u4e8eA0:00:00:04:C5:84\u7684\n\nless than \u5c0f\u4e8e < lt\n\u5c0f\u4e8e\u7b49\u4e8e le\n\n\u7b49 \u4e8e eq\n\n\u5927\u4e8e gt\n\u5927\u4e8e\u7b49\u4e8e ge\n\n\u4e0d\u7b49 ne\n\n\n5.\u5305\u957f\u5ea6\n\u8fc7 \u6ee4\n\n\n\u4f8b\u5b50:\nudp.length == 26 \u8fd9\u4e2a\u957f\u5ea6\u662f\u6307udp\u672c\u8eab\u56fa\u5b9a\u957f\u5ea68\u52a0\u4e0audp\u4e0b\u9762\u90a3\u5757\u6570\u636e\u5305\u4e4b\u548c\ntcp.len >= 7 \u6307\u7684\u662fip\u6570\u636e\u5305(tcp\u4e0b\u9762\u90a3\u5757\u6570\u636e),\u4e0d\u5305\u62ectcp\u672c\u8eab
\nip.len == 94 \u9664\u4e86\u4ee5\u592a\u7f51\u5934\u56fa\u5b9a\u957f\u5ea614,\u5176\u5b83\u90fd\u7b97\u662fip.len,\u5373\u4eceip\u672c\u8eab\u5230\u6700\u540e
\nframe.len == 119 \u6574\u4e2a\u6570\u636e\u5305\u957f\u5ea6,\u4eceeth\u5f00\u59cb\u5230\u6700\u540e<\/p>\n
eth —> ip or arp —> tcp or udp —> da
\nta<\/p>\n
6.http \u6a21\u5f0f
\n\u8fc7\u6ee4<\/p>\n
\u4f8b\u5b50:
\nhttp.request.method == “GET”
\nhttp.request.method == “POST”
\nhttp.request.uri == “\/img\/logo-edu.gif”
\nhttp contains “GET”
\nhttp contains “HTTP\/1.”<\/p>\n
\/\/ GET\u5305
\nhttp.request.method == “GET” && http contains “Host: ”
\nhttp.request.method == “GET” && http contains “User-Agent: ”
\n\/\/ POST\u5305
\nhttp.request.method == “POST” && http contains “Host: ”
\nhttp.request.method == “POST” && http contains “User-Agent: ”
\n\/\/ \u54cd\u5e94\u5305
\nhttp contains “HTTP\/1.1 200 OK” && http contains “Content-Type: ”
\nhttp contains “HTTP\/1.0 200 OK” && http contains “Content-Type: ”
\n\u4e00 \u5b9a\u5305\u542b\u5982\u4e0b
\nContent-Type:<\/p>\n
7.TCP\u53c2\u6570
\n\u8fc7 \u6ee4<\/p>\n
tcp.flags \u663e\u793a\u5305\u542bTCP\u6807\u5fd7\u7684\u5c01\u5305\u3002
\ntcp.flags.syn == 0x02 \u663e\u793a\u5305\u542bTCP SYN\u6807\u5fd7\u7684\u5c01\u5305\u3002
\ntcp.window_size == 0 && tcp.flags.reset != 1<\/p>\n
8.
\n\u8fc7\u6ee4
\n\u5185\u5bb9<\/p>\n
tcp[20] \u8868\u793a\u4ece20\u5f00\u59cb\uff0c\u53d61\u4e2a\u5b57\u7b26
\ntcp[20:]\u8868\u793a\u4ece20\u5f00\u59cb\uff0c\u53d61\u4e2a\u5b57\u7b26\u4ee5\u4e0a
\ntcp[20:8]\u8868\u793a\u4ece20\u5f00\u59cb\uff0c\u53d68\u4e2a\u5b57\u7b26
\ntcp[offset,n]<\/p>\n
udp[8:3]==81:60:03 \/\/ \u504f\u79fb8\u4e2abytes,\u518d\u53d63\u4e2a\u6570\uff0c\u662f\u5426\u4e0e==\u540e\u9762\u7684\u6570\u636e\u76f8\u7b49\uff1f
\nudp[8:1]==32 \u5982\u679c\u6211\u731c\u7684\u6ca1\u6709\u9519\u7684\u8bdd\uff0c\u5e94\u8be5\u662fudp[offset:\u622a\u53d6\u4e2a\u6570]=nValue
\neth.addr[0:3]==00:06:5B<\/p>\n","protected":false},"excerpt":{"rendered":"