[Snort-sigs] distance, within, and negated matches
l0rdch0de1m0rt at ...2420...
Thu May 23 15:50:20 EDT 2013
Hello. Thank you Patrick for the response. One point of clarity and one
thing that I noticed is that non-relative negated content matches seem to
*reset* the pointer so that is something to keep in mind... You should
always put non-relative negated content matches before or after your
relative content matches or it won't work as you expect!
On Sun, Jul 1, 2012 at 4:52 PM, Patrick Mullen <pmullen at ...435...>wrote:
> Wow, a flash from the past. Welcome back.
> Negated content matches do not move the cursor, which means any negative
> content match, no matter how many there are, is relative to the last thing
> to move the cursor, whether it be a regular content match, pcre, byte_jump,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs