[Snort-sigs] Matching question

Ron iago at ...3116...
Tue Jul 19 07:00:35 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks, that's what I needed!

bmc at ...95... wrote:
> To match the first 2 bytes, skip one byte, then match 4 bytes, you can
> do that in to different ways.
> 
> Normally:
>     content:"|FF 51|"; depth:2; content:"|01 00 00 00|"; offset:4; 
>     depth:4;
> 
> Via relative:
>     content:"|FF 51|"; depth:2; content:"|01 00 00 00|"; distance:1;
>     within:4;
> 
> 
> Its really up to you which you choose.  I prefer relative, but mostly
> due to having to deal layers upon layers of protocols.  If the rules
> are relative, than I only have to maintain one set of distances.
> 
> Brian
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC3QVFfqSf2EkP4p4RAlqkAJ9XR8vy6ayltd+dhykx8Dy2JbD4tgCfalRl
333moFig4wRzIL5ORkcbH0E=
=HCtq
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list