[Snort-sigs] Question regarding distances after a byte_jump...

Joel Esler jesler at ...435...
Thu Dec 16 19:37:14 EST 2010


Two things that I see right away that you might want to try and make your life easier.

from_beginning's function is to start it's packet jumping at the beginning of the packet, as opposed to where your pointer is, and I am not sure that's what you are trying to do from reading your email.

Also, post_offset can confuse the novice, so you might want go make it simpler for you.

content:"|MM MM|"; byte_jump:3,0,relative; content:"|AA AA|"; distance:2; within:2;



More information about the Snort-sigs mailing list