[Snort-sigs] Re: Depth and multi content rule help.
dank at ...1581...
Thu Jun 19 09:18:18 EDT 2003
In article <9A01501BF79D864D95402AF6FBEE33D9029290EC at ...577...>, larosa, vjay wrote:
> alert any any -> any any (msg:"Test" content:"123"; content:"101112";
> depth:48; content:"|ff 53 4d 42 a2|";)
> Will this work? Or will my depth keyword apply to the all three content
the first evidence that the depth, etc modifiers applied only to certain
content options in the signature was SID 2003, the sql slammer worm:
content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"
if the depth:1 applied to both content rules, the second content could
never be matched; if it applied to neither, the first content is
entirely unnecessary (it's contained within the second).
confirmation lurks within PayloadSearchDepth, where the lines:
idx = (PatternMatchData *) otn->ds_list[lastType];
if(idx == NULL)
FatalError("ERROR %s Line %d => Please place \"content\" rules "
"before depth, nocase or offset modifiers.\n",
while(idx->next != NULL)
idx = idx->next;
show that only the last content rule is modified. someone should update
the documentation, as this bit me when i wrote my company's snort
compatability code :).
nick black <dank at ...1582...>
"np: nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo
More information about the Snort-sigs