[Snort-sigs] within syntax questions
dwilburn at ...8...
Fri Dec 12 06:08:02 EST 2003
I want to write a signature that will fire off an alarm when the
following situation occurs:
string A is detected within X bytes before string B, and string C is
detected within Y bytes after string B.
I tried the following, with no success:
content:A; content:B; within:X; content:C; within:Y;
I suspect that my problem is that "string B is detected within X bytes
after string A", which is what the above rule would do, is NOT the same
as "string A is detected within X bytes before string B". The algorithm
is probably a bit greedy, and will stop after seeing the first string A
without looking for any further string As if a B is not found within X
bytes of the very first string A found by the string searching
algorithm, but maybe I'm wrong.
Are multiple withins even possible? I didn't get any syntax errors, so
I must presume that they are. How would I do something like the above,
without resorting to patching/recompiling snort and writing the rule
More information about the Snort-sigs