Hosting Provided By

RE: [Snort-sigs] Look for attached files?

From: Andrew Hintz \(Drew\) <drew(at)overt.org>
Date: Sun May 25 2003 - 21:28:43 EDT

> What does the "distance" in the rules mean?

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.38

2.3.38 distance

The distance keyword is a content modifier that makes sure that atleast N bytes are between pattern matches using the Content ( See Section 2.3.9 ). It's designed to be used in conjunction with the within (Section 2.3.39) rule option.

The rule listed in Figure 2.32 maps to a regular expression of ÄBCDE.{1}EFGH\". Format

distance: <byte count>;

alert tcp any any -> any any (content: "2 Patterns"; \

content: "ABCDE"; content: "EFGH"; distance: 1;)

Do you need help?

Figure 2.32: distance usage example

--
^Drew
http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. 
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Sun May 25 22:12:51 2003

This message: [ Message body ]
Next message: McKinlay, Ken: "[Snort-sigs] Possible false positive on SID 663"
In reply to Magnus Larsson: "[Snort-sigs] Look for attached files?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT