[Snort-sigs] Look for attached files?

Andrew Hintz (Drew) drew at ...486...
Sun May 25 18:32:02 EDT 2003

> What does the "distance" in the rules mean?


2.3.38  distance

The distance keyword is a content modifier that makes sure that atleast N
bytes are between pattern matches using the Content ( See Section 2.3.9 ).
It's designed to be used in conjunction with the within (Section 2.3.39)
rule option.

The rule listed in Figure 2.32 maps to a regular expression of


distance: <byte count>;

alert tcp any any -> any any (content: "2 Patterns"; \
          content: "ABCDE"; content: "EFGH"; distance: 1;)

Figure 2.32: distance usage example



--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--

More information about the Snort-sigs mailing list