[Snort-users] Rule creation: content keyword

mosquitooth at ...158... mosquitooth at ...158...
Mon Feb 7 00:26:42 EST 2005


Hi again,

thanks for all your answers! Just to check if I got everything right:

- When more than one "content" keyword is specified, the additional are
relative towards each other. So, the start for the search of the second
pattern starts at the last byte of the first matching pattern in the
payload.

- Now, different keywords can be added:

depth: Sets the max number of bytes in which is searched for the pattern,
relative to the last matching pattern (if one exists) and to a given
"offset" (e.g. offset: 4;depth:20; -> 'search for the pattern in 20 bytes,
starting at byte 5).

offset: sets the number of bytes to ignore in the payload. This is an
absolute value, so counting always starts at byte 1 of the payload. (correct
?)

distance: specifies the number of bytes to ignore (!) between two matching
pattern. Can't see the relationship to depth mentioned in the snort manual:
this specifies a number of bytes to IGNORE, but depth specifies the number
of bytes the search uses. By the way, the statement:

This can be thought of as exactly the same thing as depth (See Section ??),
except it is relative to the end of the last pattern match instead of the
beginning of the packet.

Now, I really thought that depth was relative, isn't it?

Are my conclusions correct? Or did I get anything wrong?

Thanks a lot
Peter

-- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail




More information about the Snort-users mailing list