[Snort-sigs] RE: [Snort-users] More sid 1841

Matt Kettler mkettler at ...189...
Sat Feb 22 12:36:03 EST 2003

Since it's about improving a rule which is FP prone, I'll agree this has 
turned into a signature-devel related topic more than a users topic. Moving 
out of users.

The keyword you want is "within" not "depth".

And no, you can't use regexp's in snort... Snort would be a lot slower if 
it did.

So what you really want is something like this:
content:"javascript\://"; nocase; content:"\\n"; within:512;

(note I upped the range, due to the possibility of escape-codes making the 
domain part of this URL longer than 255 bytes, as per my snort-users post).

At 11:00 AM 2/22/2003 -0600, Schmehl, Paul L wrote:
>If I understand the rules docs correctly (and there's no guarantee that
>I do), the depth parameter is measured from the beginning of the
>payload, not from the beginning of a previous content search
>So something like this wouldn't work, right?
>content:"javascript\://"; nocase; content:"\\n"; depth:255;
>Can you use regexp wild cards like this?

More information about the Snort-sigs mailing list