Hosting Provided By

Re: [Snort-users] byte_test, byte_jump, distance, within

From: Chris Green <cmg(at)sourcefire.com>
Date: Mon Mar 31 2003 - 08:58:10 EST

"Clemens, Dan" <Dan.Clemens@healthsouth.com> writes:

> 1. (*) text/plain ( ) text/html
>
> Can someone point me to some documentation on these new options.

src/detection-plugins/sp_byte_{check,jump}.c has good comments at the top of the files.

>From a reply to Phil wood earlier:

The easiest way to view distance is

a.{4}.*b

where that maps to:

Do you need help?

content: "a"; content: "b"; distance: 4;

Within bounds the number of bytes that will be checked prior.

-- 
Chris Green 
Chicken's thinkin'


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Received on Mon Mar 31 10:05:03 2003

This message: [ Message body ]
Next message: Patrick S. Harper: "Re: [Snort-users] ACID"
Previous message: Chris Green: "Re: [Snort-users] Snort 2.0 rc1 available"
In reply to Clemens, Dan: "[Snort-users] byte_test, byte_jump, distance, within"
Reply: Chris Green: "Re: [Snort-users] No longer seeing exploit traffic on version 2.0.0"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:50:32 EDT