[Snort-users] ftp glob rule

James Hoagland hoagland at ...47...
Mon Apr 23 20:51:32 EDT 2001


>Question: you have multiple content rules that are the same string, does
>snort really discern that these are separate strings to be detected, or
>will each one consider the entire payload (therefor meaning that the
>second two are redundant)?  My rule watches for "|2f2a|".

Unless I am mistaken, each are content rule is considered for the entire payload.  You can add "offset" and "depth" specifications after "content" (but before the next "content") to modify that behavior.  I don't think you can specify the offset as relative to the previous content match, though that might be nice.


