[Snort-users] Difference between distance and within

Brian bmc at ...950...
Wed Apr 30 09:17:09 EDT 2003


On Mon, Apr 28, 2003 at 01:18:08PM -0700, Madhu Joshi wrote:
> Can somebody provide an example of using distance and
> within with *different* values? I have seen couple of
> examples in the FAQ and manual and they use something
> like distance=4; within=4. I am not completely clear
> on the difference between the two, so an example would
> help.  

For the basic understanding, this explanation should help.  

* distance: x;
   start looking for the specified content X bytes from the end of the
   previous content.

   example:
      content:"foo"; content:"bar"; distance:3;

   how it works:
      look for a content of "foo", then skip 3 bytes from the end of
      "foo".  From that location, look for "bar"

* within: x;
   the end of this content must be within X bytes from the end of the
   previous content.

   example:
      content:"foo"; content:"bar"; within:10;

   how it works:
      look for a content of "foo", then look for a content of "bar"
      that occurs within 10 bytes of the end of "foo"

* distance:x; within:y;
   start looking for the specified content X bytes from the end of the 
   previous content and only look for the content within Y bytes from 
   that.

   example:
      content:"foo"; content:"bar"; distance:3; within:3;

   how it works:
      look for a content of "foo", then skip 3 bytes from the end of
      "foo".  From that location, look for "bar" within 3 bytes.


-brian




More information about the Snort-users mailing list