[Snort-sigs] No need for content modifier 'within'

Joel Esler jesler at ...435...
Thu Jun 10 10:55:56 EDT 2010


Distance tells Snort how far to read into a packet to search for a pattern
Within makes sure that at most "x" amount of bytes are between pattern matches.

Within is relative, distance is not.


10:39 AM, on Jun 10, 2010, wrote:

> Hello.  Not trying to beat a dead horse here but I was reading
> http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
> and came to a part where it said, "Offset goes with Depth, distance
> goes with within.  Don’t mix them."  I'm not sure I agree with this
> and I'm not much of an Blogger/Internet Exhibitionist so I'm posting
> this here.
> 
> We all know, offset tells Snort how far into the payload (starting
> from the beginning of the payload) to start looking for a content
> match.  Distance tells Snort how far into the payload (starting from
> the previous content match) to start looking for a content match.
> Depth *and* within tell Snort where to stop looking based on where it
> started looking.  So you can have distance and use depth if you want
> and it is perfectly OK to do this.  Do not be afraid.  The only reason
> within exists is so if you have a situation where you don't use
> distance but want to make sure no more than N bytes are between
> content matches.  But within isn't really necessary. In fact, we could
> get rid of within in the case described and just add distance:0; and
> use depth.
> 
> Hope this helps clarify a few things about the within content modifier.
> 
> Cheers,
> 
> -L0rd Ch0de1m0rt
> 
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate 
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
> lucky parental unit.  See the prize list and enter to win: 
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

--
Joel Esler






More information about the Snort-sigs mailing list