[Snort-users] rules keyword

Patrice Boulanger pboulanger at ...7942...
Wed Jan 8 09:51:03 EST 2003


Hi,

Someone can tell me what the "within" keyword in the following rule means :

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

I have read the doc but there is nothing about this. I use a snort v1.9 and
my rules set comes directly from snort.org. These rules are attempted to be
use with this version (as indicated on the web site).

Thank in advance for your help.

----------
Patrice Boulanger
EXTERNALL
pboulanger at ...7942...
http://www.externall.net
137, bvd Voltaire - 75011 Paris
Standard: +33 1 58 39 33 00
Direct: +33 1 58 39 33 61





More information about the Snort-users mailing list