[Snort-users] byte_test and relative

Praveen D praveend.hac at ...11827...
Wed Jan 14 04:58:19 EST 2015


Hi,

In byte_test, relative is mentioned as "Use an offset relative to last
pattern match".
Please confirm if the pattern match is relative to "content:" or "pcre:" or
both.

*41 42 43 44 . . . .  10 . . . . . 31 32        ABCD . . . .  . . . . . . 1
2*

content:"ABCD"; byte_test:1,=,0x10,offset:4,relative;
pcre:"/ABCD/"; byte_test:1,=,0x10,offset:4,relative;

Will both content/pcre work?

Best Regards,
Praveen Darshanam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150114/27a8c3d8/attachment.html>


More information about the Snort-users mailing list