[Snort-users] ftp glob rule
hoagland at ...47...
Mon Apr 23 20:51:32 EDT 2001
>Question: you have multiple content rules that are the same string, does
>snort really discern that these are separate strings to be detected, or
>will each one consider the entire payload (therefor meaning that the
>second two are redundant)? My rule watches for "|2f2a|".
Unless I am mistaken, each are content rule is considered for the entire payload. You can add "offset" and "depth" specifications after "content" (but before the next "content") to modify that behavior. I don't think you can specify the offset as relative to the previous content match, though that might be nice.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Silicon Defense - Technical Support for Snort *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users