[Snort-users] RE: [Snort-sigs] Depth and multi content rule help.

SRH-Lists giermo at ...8381...
Tue Jun 17 11:54:04 EDT 2003


>Hello,
> 
>If I have a rule with three pattern matches in it
> and I want to limit the search depth for just one 
>of the content searches, but I want the other two 
>pattern matches to search the whole packet is this possible?
>This is an example of what I am trying to do.
> 
>alert any any -> any any (msg:"Test" content:"123"; content:"101112";
depth:48; content:"|ff 53 4d 42 a2|";)
>
>Will this work? Or will my depth keyword apply to the all three content
matches?

1)  Don't cross post between the different snort lists.
2)  Depth works just like you want it to, it modifies only the 'content'
keyword immediately proceeding it.
	So in your example only the 'content:"101112;" get modified.

-steve




More information about the Snort-users mailing list