Thu Nov 23 16:36:19 EST 2017
'The "distance" keyword gives you a relative offset from the end of the
last match, so it basically acts as a wildcarding mechanism. You can also
use the new "within" keyword to limit how deep into the packet from the
end of the distance it'll search before it stops.'
So, I read that rule as 'Find the content "PASS" without a 0A (hex) within
50 bytes of "PASS" '.
Hope that helps!
"When things get wierd, the wierd turn pro." H.S. Thompson
More information about the Snort-users