[Snort-users] Rule creation: content keyword

Matt Kettler mkettler at ...4108...
Mon Feb 7 08:33:18 EST 2005


At 02:13 PM 2/6/2005, mosquitooth at ...158... wrote:
>just one question: If I specify more than one "content:"[x]"" keyword in a
>snort rule - are these content patterns relative towards each other? If so,
>where does a new search for e.g. the second pattern start? At the last byte
>of the last (e.g. first) successful match?

Yes they are relative to each other.

The search for the second string begins just after the end of the first, 
unless you use the offset keyword to modify the second content, in which 
case that many bytes are skipped prior to starting the search. 





More information about the Snort-users mailing list