No subject

Thu Nov 23 16:36:19 EST 2017

'The "distance" keyword gives you a relative offset from the end of the
last match, so it basically acts as a wildcarding mechanism.  You can also
use the new "within" keyword to limit how deep into the packet from the
end of the distance it'll search before it stops.'

So, I read that rule as 'Find the content "PASS" without a 0A (hex) within
50 bytes of "PASS" '.

Hope that helps!

Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson

More information about the Snort-users mailing list