[Snort-users] Depth and multi content rule help.

larosa, vjay larosa_vjay at ...3331...
Tue Jun 17 11:21:07 EDT 2003


Hello,
 
If I have a rule with three pattern matches in it and I want to limit the
search depth for just one of the content searches, but I want the other two
pattern matches to search the whole packet is this possible?
This is an example of what I am trying to do.
 
alert any any -> any any (msg:"Test" content:"123"; content:"101112";
depth:48; content:"|ff 53 4d 42 a2|";)
 
Will this work? Or will my depth keyword apply to the all three content
matches?
 
Thanks!
 
vjl 
 
V.Jay LaRosa                   EMC Corporation
Information Security          4400 Computer Dr.
(508)898-7433 Office       Westboro, MA 01580
(508)353-1348 Cell           www.emc.com <http://www.emc.com> 
888-799-9750 Pager         vjl at ...3331...
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030617/00cd09ed/attachment.html>


More information about the Snort-users mailing list