[Snort-devel] Snort content usage
roesch at ...402...
Wed Feb 9 06:31:28 EST 2005
Content matches all start from the beginning of the buffer unless you
use a "distance" keyword to indicate that a following match should
start some distance relative to the end of the last match. You can
also use the offset and depth keywords to specify absolute offsets into
the packet payload.
On Feb 5, 2005, at 11:09 AM, Peter Schmitz wrote:
> while reading the new Snort documentation I encountered some small
> questions, that perhaps someone in this mailing list can answer to me:
> When several contents are specified, and, let's say, the first content
> matches, does the search for the second content start at the beginning
> the payload, or at the position the first buffer was found?
> Just the same with all the other content-related key words (esp.
> depth). Are
> these relative to the last content match - or absolute values?
> Thanks for any help,
> DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
> AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel