[Snort-sigs] Question on function of "within" command

Al Roethlisberger al.roethlisberger at ...2420...
Mon Jul 31 17:15:00 EDT 2006


 Although documented at:

http://www.snort.org/docs/snort_htmanuals/htmanual_233/node21.html#SECTION00457000000000000000



The "within" command seems a little confusing if used with the
"distance" command, which I have seen before in
some custom rules.

So, for example, if one has a rule such as:

content:"|XYZ|"; depth:3; content:"|1|"; distance:8; depth:1;
content:"|2|"; distance:4; depth:1;


This obviously means "XYZ", skip 8 bytes, "1", skip 4 bytes, "2"


Now, if we add the "within" parameter:

content:"|XYZ|"; depth:3; content:"|1|"; distance:8; depth:1;
content:"|2|"; distance:4; depth:1; within:2;



How is this really being inspected?

It seems from the documentation that this could mean that the value of
"2" is normally 4 bytes from the value
"1", but could also be encountered 2 bytes earlier.  So effectively,
the value of "2" could be 2 to 4 bytes from "1".

Is this correct?

If not, can someone explain how the "within" parameter functions when
in combination with the "distance" paramter?

Thanks
Al

al.roethlisberger at ...2420...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060731/645ec22e/attachment.html>


More information about the Snort-sigs mailing list