alert tcp any 80:20080 -> any any (msg:"UDS_1002_Account_irteam_Web_Response_160616"; flow:to_client; content:"irteam"; fast_pattern; pcre:"/(^|.{0,10}\\W)irteam(su)?($|\\W.{0,10})/m"; content:!"irteam/owfs/"; nocase; content:!"javamail.irteam"; nocase; content:!"irteam/PROVAgent_NCLOUD"; nocase; content:!"irteam-user-created"; nocase; content:!"filename=\\"code.eps\\""; nocase; content:!"|0d 0a|executable\\:/home1/irteam/arc2/"; content:!"|0d 0a|executable\\:/home1/irteam/nbase-arc/"; nocase; content:!"|0d 0a|/home1/irteam/arc2/pgs/"; nocase; content:!"|0d 0a|/home1/irteam/nbase-arc/pgs/"; nocase; pcre:!"/<rdf:li.xml:lang=\\"x-default\\">\\(\\/home1\\/irteam/"; content:!"|00 0c|NimmServerIDt|00 03|"; content:!"configurable|3a 21|0|2c|value|3a 7b|\\"|2f|home1|2f|irteam|2f|deploy|2f|jenkins_ndeploy"; nocase; content:!"kisa|2d|irteam"; nocase; content:!"|2f|home1|2f|irteam|2f|jenkins_home|2f|workspace|2f|build-fe-prd"; nocase; content:!"|22|codecEnum|22 3a 22|AAC|22|"; content:!"|22|uri|22 3a 22|owfs|3a 2f 2f|"; content:!"|03|def"; content:!"|07|default"; content:!"bytes|7b|application|3d 22|"; content:!"|22|name|22 3a 22|NCC_CLUSTER_NAME|22|"; content:!"RawNsightInterface"; content:!"|2f|irteam|2f|log|25|"; content:!"ioH|2f|home|2f|irteam|2f|run|2d|"; content:!"|22 2c 22|Cwd|22 3a 22 2f|home1"; content:!"livenessProbe"; content:!"periodSeconds|5c 22 3a|"; content:!"elementor|2f|css"; content:!"|0a|acl_file|20 3d 20 2f|home1"; content:!"|22|NELO_PROJECT|5c 22|"; content:!"|0d 0a|redis_version|3a|"; content:!"|22 3a 5c 22|POD_NAME|5c 22|"; content:!"nginx|2f|l7check|2e|nhn"; sid:1001002;)
content나 pcre뒤에 “!”로 시작하는것은 탐지근거표시(하이라이트)가 되면 안된다고 답변을 받음
정규표현식을 탐지되어야 하는 형식에 맞게 작성하여 처음부터 매치가 안되게 하였음.