[Snort-users] Re: [Snort-sigs] Depth and multi content rule help.

Chris Green cmg at ...1935...
Wed Jun 18 09:59:05 EDT 2003


[ use only sigs or only users ]

"larosa, vjay" <larosa_vjay at ...3331...> writes:

> If I have a rule with three pattern matches in it and I want to limit the
> search depth for just one of the content searches, but I want the other two
> pattern matches to search the whole packet is this possible?
> This is an example of what I am trying to do.
>  
> alert any any -> any any (msg:"Test" content:"123"; content:"101112";
> depth:48; content:"|ff 53 4d 42 a2|";)
>  
> Will this work? Or will my depth keyword apply to the all three content
> matches?

It only applies to the previous content option.

-- 
Chris Green <cmg at ...1935...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-users mailing list