[Snort-sigs] Look for attached files?
Andrew Hintz (Drew)
drew at ...486...
Sun May 25 18:32:02 EDT 2003
> What does the "distance" in the rules mean?
The distance keyword is a content modifier that makes sure that atleast N
bytes are between pattern matches using the Content ( See Section 2.3.9 ).
It's designed to be used in conjunction with the within (Section 2.3.39)
The rule listed in Figure 2.32 maps to a regular expression of
distance: <byte count>;
alert tcp any any -> any any (content: "2 Patterns"; \
content: "ABCDE"; content: "EFGH"; distance: 1;)
Figure 2.32: distance usage example
--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518 5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--
More information about the Snort-sigs