[Snort-users] Difference between distance and within

Erick Mechler emechler at ...7719...
Tue Apr 29 07:30:10 EDT 2003


:: Can somebody provide an example of using distance and
:: within with *different* values? I have seen couple of
:: examples in the FAQ and manual and they use something
:: like distance=4; within=4. I am not completely clear
:: on the difference between the two, so an example would
:: help.  

They refer to the same thing, the number of bytes between two 'content'
matches.  For example, the following rule means "match content of 'foo' and
'bar' separated by exactly 5 bytes."

  alert tcp any any -> any any (content: "foo"; content: "bar";
	distance: 5;)

Whereas the next alert means ""match content of 'foo' and 'bar' separated
by 5 bytes or less."

  alert tcp any any -> any any (content: "foo"; content: "bar";
        within: 5;)

Cheers - Erick




More information about the Snort-users mailing list