[Snort-sigs] Depth and multi content rule help.

Chris Green cmg at ...435...
Wed Jun 18 09:59:01 EDT 2003

[ use only sigs or only users ]

"larosa, vjay" <larosa_vjay at ...375...> writes:

> If I have a rule with three pattern matches in it and I want to limit the
> search depth for just one of the content searches, but I want the other two
> pattern matches to search the whole packet is this possible?
> This is an example of what I am trying to do.
> alert any any -> any any (msg:"Test" content:"123"; content:"101112";
> depth:48; content:"|ff 53 4d 42 a2|";)
> Will this work? Or will my depth keyword apply to the all three content
> matches?

It only applies to the previous content option.

Chris Green <cmg at ...435...>
You now have 14 minutes to reach minimum safe distance.

More information about the Snort-sigs mailing list