[Snort-users] Rule creation: content keyword

Frank Knobbe frank at ...9761...
Sun Feb 6 13:23:48 EST 2005


On Sun, 2005-02-06 at 20:13 +0100, mosquitooth at ...158... wrote:
> just one question: If I specify more than one "content:"[x]"" keyword in a
> snort rule - are these content patterns relative towards each other? If so,
> where does a new search for e.g. the second pattern start? At the last byte
> of the last (e.g. first) successful match?


It's all explained in the Snort Manual at:
http://www.snort.org/docs/snort_manual/


Specifically this section:
http://www.snort.org/docs/snort_manual/node20.html


Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050206/6a0dd02a/attachment.sig>


More information about the Snort-users mailing list