[Snort-sigs] No need for content modifier 'within'

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Thu Jun 10 11:04:48 EDT 2010


What?  Are you confusing distance and offset?  According to your blog
post according to the Snort manual, "The distance keyword allows the
rule writer to specify how far into a packet Snort should ignore
before starting to search for the specified pattern relative to the
end of the previous pattern match."

Distance is relative and I'm saying we don't really need the 'within'
keyword since we can just do distance:0; and then use depth since
depth is relative as well.

Hope this helps.

-L0rd Ch0de1m0rt

On 6/10/10, Joel Esler <jesler at ...435...> wrote:
> Distance tells Snort how far to read into a packet to search for a pattern
> Within makes sure that at most "x" amount of bytes are between pattern
> matches.
>
> Within is relative, distance is not.
>
>
> 10:39 AM, on Jun 10, 2010, wrote:
>
>> Hello.  Not trying to beat a dead horse here but I was reading
>> http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
>> and came to a part where it said, "Offset goes with Depth, distance
>> goes with within.  Don’t mix them."  I'm not sure I agree with this
>> and I'm not much of an Blogger/Internet Exhibitionist so I'm posting
>> this here.
>>
>> We all know, offset tells Snort how far into the payload (starting
>> from the beginning of the payload) to start looking for a content
>> match.  Distance tells Snort how far into the payload (starting from
>> the previous content match) to start looking for a content match.
>> Depth *and* within tell Snort where to stop looking based on where it
>> started looking.  So you can have distance and use depth if you want
>> and it is perfectly OK to do this.  Do not be afraid.  The only reason
>> within exists is so if you have a situation where you don't use
>> distance but want to make sure no more than N bytes are between
>> content matches.  But within isn't really necessary. In fact, we could
>> get rid of within in the case described and just add distance:0; and
>> use depth.
>>
>> Hope this helps clarify a few things about the within content modifier.
>>
>> Cheers,
>>
>> -L0rd Ch0de1m0rt
>>
>> ------------------------------------------------------------------------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit.  See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> --
> Joel Esler
>
>
>




More information about the Snort-sigs mailing list