[Snort-users] rules keyword

Erek Adams erek at ...950...
Wed Jan 8 10:07:03 EST 2003


On Wed, 8 Jan 2003, Patrice Boulanger wrote:

> Someone can tell me what the "within" keyword in the following rule means :
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
> attempt"; flow:to_server,established; content:"PASS "; nocase;
> content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
> reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)
>
> I have read the doc but there is nothing about this. I use a snort v1.9 and
> my rules set comes directly from snort.org. These rules are attempted to be
> use with this version (as indicated on the web site).



More information about the Snort-users mailing list