[Snort-sigs] question on byte_jump

Dongwook Kim kimdongwk at ...2420...
Tue Feb 20 01:17:45 EST 2007


I'm trying to write a rule using byte_jump option.

The situation I've encountered is something like below.

content:"|00000000|"; byte_jump:4,0,relative; byte_jump:4,0,relative,align;

In the second byte_jump above, where the detection pointer will be relative
to? Is it the last matched content |00000000| or whatever point using the
first byte_jump?

D Kim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070220/9e66f309/attachment.html>

More information about the Snort-sigs mailing list