[Snort-devel] [Snort-sigs] distance, within, and negated matches

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2499...
Thu May 23 15:50:20 EDT 2013


Hello.  Thank you Patrick for the response.  One point of clarity and one
thing that I noticed is that non-relative negated content matches seem to
*reset* the pointer so that is something to keep in mind... You should
always put non-relative negated content matches before or after your
relative content matches or it won't work as you expect!

Cheers,

Lord C.


On Sun, Jul 1, 2012 at 4:52 PM, Patrick Mullen <pmullen at ...402...>wrote:

> Wow, a flash from the past.  Welcome back.
>
> Negated content matches do not move the cursor, which means any negative
> content match, no matter how many there are, is relative to the last thing
> to move the cursor, whether it be a regular content match, pcre, byte_jump,
> etc.
>
> Cheers,
>
> Patrick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130523/82f2080f/attachment.html>


More information about the Snort-devel mailing list