[Snort-sigs] Question regarding distances after a byte_jump...
jesler at ...435...
Thu Dec 16 19:37:14 EST 2010
Two things that I see right away that you might want to try and make your life easier.
from_beginning's function is to start it's packet jumping at the beginning of the packet, as opposed to where your pointer is, and I am not sure that's what you are trying to do from reading your email.
Also, post_offset can confuse the novice, so you might want go make it simpler for you.
content:"|MM MM|"; byte_jump:3,0,relative; content:"|AA AA|"; distance:2; within:2;
More information about the Snort-sigs