[Snort-users] Rule creation: content keyword

Basselgia, Barry A Mr (NAF Atsugi) BABasselgia at ...12104...
Sun Feb 6 16:10:47 EST 2005


The content modifier keywords control how multiple content: statements
relate to each other.

For example:

depth is relative to the beginning of the payload.
distance is relative to the end of the last pattern match.

This is explained in the snort_manual that comes with the source.

Barry


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
mosquitooth at ...158...
Sent: Monday, February 07, 2005 4:14 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule creation: content keyword


Hi,

just one question: If I specify more than one "content:"[x]"" keyword in a
snort rule - are these content patterns relative towards each other? If so,
where does a new search for e.g. the second pattern start? At the last byte
of the last (e.g. first) successful match?


Thanks if someone can enlight me,

Peter

-- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list