[Snort-users] how to create testing data files??

waldo kitty wkitty42 at ...14940...
Sat Aug 14 20:17:25 EDT 2010


On 8/14/2010 19:56, Joel Esler wrote:
> On Aug 14, 2010, at 7:44 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>
>> concerning if within
>> takes into account the distance or not...
>>
> Clarify.

well, i've tried on that other list...

i'll try again over here...

given the following rule structure...

content:"ABC"; content:"EFG"; distance:1; within:10;

which of the following strings do NOT alert and why?

  1. ABCEFG
  2. ABCxEFG
  3. ABCx123456EFG
  4. ABCx1234567EFG
  5. ABCx12345678EFG
  6. ABCx123456789EFG
  7. ABCxx123456EFG
  8. ABCxx1234567EFG
  9. ABCxx12345678EFG
10. ABCxx123456789EFG


[sharp eyes will see that i'm trying to find the "maximal" or "most extreme" or 
"last" data package that will alert]


>> also, there's a question in the above of if the within content must /all/ reside
>> within or if it must only /start/ within...
>
> It must be wholly within the "within" space.

thank you... that answers that one ;)




More information about the Snort-users mailing list