[Snort-users] RE: [Snort-sigs] Depth and multi content rule help.
shalligan at ...8381...
Thu Jun 19 09:14:33 EDT 2003
>If I have a rule with three pattern matches in it
> and I want to limit the search depth for just one
>of the content searches, but I want the other two
>pattern matches to search the whole packet is this possible?
>This is an example of what I am trying to do.
>alert any any -> any any (msg:"Test" content:"123"; content:"101112";
depth:48; content:"|ff 53 4d 42 a2|";)
>Will this work? Or will my depth keyword apply to the all three content
1) Don't cross post between the different snort lists.
2) Depth works just like you want it to, it modifies only the 'content'
keyword immediately proceeding it.
So in your example only the 'content:"101112;" get modified.
More information about the Snort-users