[Snort-users] how to create testing data files??

Joel Esler jesler at ...1935...
Sat Aug 14 22:11:05 EDT 2010


On Aug 14, 2010, at 8:17 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 8/14/2010 19:56, Joel Esler wrote:
>> On Aug 14, 2010, at 7:44 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>> 
>>> concerning if within
>>> takes into account the distance or not...
>>> 
>> Clarify.
> 
> well, i've tried on that other list...
> 
> i'll try again over here...
> 
> given the following rule structure...
> 
> content:"ABC"; content:"EFG"; distance:1; within:10;
> 
> which of the following strings do NOT alert and why?
> 
>  1. ABCEFG

No. E is in position "distance:0"

>  2. ABCxEFG

Yes. 


>  3. ABCx123456EFG

Yes. 


>  4. ABCx1234567EFG

Yes. 

>  5. ABCx12345678EFG

No. G is in position 11. 

>  6. ABCx123456789EFG

No.  G is in position 12


>  7. ABCxx123456EFG

Yes. The first "x" is distance 0. The second is distance 1. 


>  8. ABCxx1234567EFG

No, too long. G is in position 11


>  9. ABCxx12345678EFG

No, too long. G is in position 12. 

> 10. ABCxx123456789EFG

No. Too long. G is in position 13.  

Does that help?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100814/3bc020a6/attachment.html>


More information about the Snort-users mailing list