No subject


Thu Nov 23 16:36:19 EST 2017


	http://marc.theaimsgroup.com/?l=snort-users&m=103334784719103&w=2

'The "distance" keyword gives you a relative offset from the end of the
last match, so it basically acts as a wildcarding mechanism.  You can also
use the new "within" keyword to limit how deep into the packet from the
end of the distance it'll search before it stops.'

So, I read that rule as 'Find the content "PASS" without a 0A (hex) within
50 bytes of "PASS" '.

Hope that helps!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson




More information about the Snort-users mailing list