Snort mailing list archives

Previous By Date Next
Previous By Thread Next

rules keyword

From: "Patrice Boulanger" <pboulanger () fr externall net>
Date: Wed, 8 Jan 2003 18:48:50 +0100
Hi,

Someone can tell me what the "within" keyword in the following rule means :

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

I have read the doc but there is nothing about this. I use a snort v1.9 and
my rules set comes directly from snort.org. These rules are attempted to be
use with this version (as indicated on the web site).

Thank in advance for your help.

----------
Patrice Boulanger
EXTERNALL
pboulanger () fr externall net
http://www.externall.net
137, bvd Voltaire - 75011 Paris
Standard: +33 1 58 39 33 00
Direct: +33 1 58 39 33 61



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: