[Snort-sigs] Understanding within

lists at ...3397... lists at ...3397...
Wed Aug 15 13:19:51 EDT 2012

On 08/15/12 12:13, James Lay wrote:
> I know I'm missing something (no surprise there), but not sure 
> what...any help would uh...help :)  Thanks!

Check out http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html

Your within value must also account for the byte size of the content match itself.

content:"bleh"; content:"bleh again"; within:30;

The above means there can be 20 bytes between "bleh" and "bleh again".

More information about the Snort-sigs mailing list