[Snort-sigs] Look for attached files?

Andrew Hintz (Drew) drew at ...486...
Sun May 25 18:32:02 EDT 2003


> What does the "distance" in the rules mean?

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.38

2.3.38  distance

The distance keyword is a content modifier that makes sure that atleast N
bytes are between pattern matches using the Content ( See Section 2.3.9 ).
It's designed to be used in conjunction with the within (Section 2.3.39)
rule option.

The rule listed in Figure 2.32 maps to a regular expression of
ÄBCDE.{1}EFGH\".

Format

distance: <byte count>;

alert tcp any any -> any any (content: "2 Patterns"; \
          content: "ABCDE"; content: "EFGH"; distance: 1;)

Figure 2.32: distance usage example

--
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--





More information about the Snort-sigs mailing list