[Snort-sigs] Depth and multi content rule help.
cmg at ...435...
Wed Jun 18 09:59:01 EDT 2003
[ use only sigs or only users ]
"larosa, vjay" <larosa_vjay at ...375...> writes:
> If I have a rule with three pattern matches in it and I want to limit the
> search depth for just one of the content searches, but I want the other two
> pattern matches to search the whole packet is this possible?
> This is an example of what I am trying to do.
> alert any any -> any any (msg:"Test" content:"123"; content:"101112";
> depth:48; content:"|ff 53 4d 42 a2|";)
> Will this work? Or will my depth keyword apply to the all three content
It only applies to the previous content option.
Chris Green <cmg at ...435...>
You now have 14 minutes to reach minimum safe distance.
More information about the Snort-sigs