[Snort-sigs] Corrupted definitions of 2403.4 and 2404.5?

Brian bmc at ...95...
Fri Jun 4 13:21:04 EDT 2004


On Fri, Jun 04, 2004 at 01:30:43PM -0600, nnposter at ...592... wrote:
> Definitions of rules 2403.4 and 2404.5 start with two *relative* content
> clauses:
> 
> flow:to_server,established; 
> content:"|00 00|"; distance:0; 
> content:"|00 00|"; distance:0; 
> content:"|00|"; depth:1;

Thats fine actually, the first distance will act as "offset" since the
doe_ptr is set to 0.

Brian




More information about the Snort-sigs mailing list