[Snort-devel] Snort content usage

Martin Roesch roesch at ...402...
Wed Feb 9 06:31:28 EST 2005

Hi Peter,

Content matches all start from the beginning of the buffer unless you 
use a "distance" keyword to indicate that a following match should 
start some distance relative to the end of the last match.  You can 
also use the offset and depth keywords to specify absolute offsets into 
the packet payload.


On Feb 5, 2005, at 11:09 AM, Peter Schmitz wrote:

> Hi,
> while reading the new Snort documentation I encountered some small
> questions, that perhaps someone in this mailing list can answer to me:
> When several contents are specified, and, let's say, the first content
> matches, does the search for the second content start at the beginning 
> of
> the payload, or at the position the first buffer was found?
> Just the same with all the other content-related key words (esp. 
> depth). Are
> these relative to the last content match - or absolute values?
> Thanks for any help,
> Peter
> -- 
> DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
> AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-devel mailing list