[Snort-users] ftp glob rule

James Hoagland hoagland at ...47...
Mon Apr 23 20:51:32 EDT 2001


>Question: you have multiple content rules that are the same string, does
>snort really discern that these are separate strings to be detected, or
>will each one consider the entire payload (therefor meaning that the
>second two are redundant)?  My rule watches for "|2f2a|".

Unless I am mistaken, each are content rule is considered for the entire payload.  You can add "offset" and "depth" specifications after "content" (but before the next "content") to modify that behavior.  I don't think you can specify the offset as relative to the previous content match, though that might be nice.


|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

More information about the Snort-users mailing list