No subject


Thu Nov 23 16:34:03 EST 2017


    R   Match relative to the end of the last pattern match. (Similar 
        to  distance:0;)

which seems to suggest that "/^.{27}/R" matches the first 27 bytes
after the last match.

As for the distance specifier, it is documented as:

    The distance keyword allows the rule writer to specify how far 
    into a packet Snort should ignore before starting to search for 
    the specified pattern relative to the end of the previous pattern 
    match.

This is somewhat unclear. It could mean the end of the last content
match or the last match (which would include things like pcre, byte_jump
and byte_test). I go for the latter reading.

Either way, it should be possible to replace the PCRE with a 
byte_test which is really the point I was trying to make.

I wish the docs were less ambiguous :-).

Erik 
-- 
-------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo at ...2555...
[W] http://www.sensorynetworks.com
[T] +61 2 83022726
[F] +61 2 94750316
[A] L6/140 William St, East Sydney NSW 2011, Australia
-------------------------------------------------------
A good debugger is no substitute for a good test suite.




More information about the Snort-sigs mailing list