[Snort-sigs] Understanding within

James Lay jlay at ...3266...
Wed Aug 15 13:27:41 EDT 2012


On 2012-08-15 11:19, lists at ...3397... wrote:
> On 08/15/12 12:13, James Lay wrote:
>> I know I'm missing something (no surprise there), but not sure
>> what...any help would uh...help :)  Thanks!
>
> Check out
> 
> http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
>
> Your within value must also account for the byte size of the content
> match itself.
>
> content:"bleh"; content:"bleh again"; within:30;
>
> The above means there can be 20 bytes between "bleh" and "bleh 
> again".
>



Thank you.  A question I have is do we treat pcre as a...."content"?

content:"ick"; pcre:/"bleh"/"; within:30;

saying that there can be 30 bytes between "ick" and "bleh"?  Or how 
does pcre fit in the scheme of content?  Danke :)

James




More information about the Snort-sigs mailing list