[Snort-sigs] Understanding within

lists at ...3397... lists at ...3397...
Wed Aug 15 13:41:32 EDT 2012


On 08/15/12 12:33, Joel Esler wrote:
> You cannot apply content keywords to pcre.
> 
> (So, no, you can't do what you are asking)

Right but he could use the /R flag (like distance:0) to make the PCRE relative
to the last content match.  You could also just PCRE-up your within.

Example:

content:"bleh"; content:"blah" within:14;

pcre:"/bleh[^\r\n]{0,10}blah/";

PCRE version 7.8 2008-09-05

  re> /bleh[^\r\n]{0,10}blah/
data> blehblah
 0: blehblah
data> bleh1234567890blah
 0: bleh1234567890blah
data> bleh12345678901blah
No match
data>




More information about the Snort-sigs mailing list