[Snort-sigs] within syntax questions

David Wilburn dwilburn at ...8...
Fri Dec 12 06:08:02 EST 2003


I want to write a signature that will fire off an alarm when the 
following situation occurs:

string A is detected within X bytes before string B, and string C is 
detected within Y bytes after string B.

I tried the following, with no success:
content:A; content:B; within:X; content:C; within:Y;

I suspect that my problem is that "string B is detected within X bytes 
after string A", which is what the above rule would do, is NOT the same 
as "string A is detected within X bytes before string B".  The algorithm 
is probably a bit greedy, and will stop after seeing the first string A 
without looking for any further string As if a B is not found within X 
bytes of the very first string A found by the string searching 
algorithm, but maybe I'm wrong.

Are multiple withins even possible?  I didn't get any syntax errors, so 
I must presume that they are.  How would I do something like the above, 
without resorting to patching/recompiling snort and writing the rule 
using pcre?

-Dave Wilburn






More information about the Snort-sigs mailing list