Snort mailing list archives
Re: Rule creation: content keyword
From: mosquitooth () gmx net
Date: Mon, 7 Feb 2005 09:25:11 +0100 (MET)
Hi again, thanks for all your answers! Just to check if I got everything right: - When more than one "content" keyword is specified, the additional are relative towards each other. So, the start for the search of the second pattern starts at the last byte of the first matching pattern in the payload. - Now, different keywords can be added: depth: Sets the max number of bytes in which is searched for the pattern, relative to the last matching pattern (if one exists) and to a given "offset" (e.g. offset: 4;depth:20; -> 'search for the pattern in 20 bytes, starting at byte 5). offset: sets the number of bytes to ignore in the payload. This is an absolute value, so counting always starts at byte 1 of the payload. (correct ?) distance: specifies the number of bytes to ignore (!) between two matching pattern. Can't see the relationship to depth mentioned in the snort manual: this specifies a number of bytes to IGNORE, but depth specifies the number of bytes the search uses. By the way, the statement: This can be thought of as exactly the same thing as depth (See Section ??), except it is relative to the end of the last pattern match instead of the beginning of the packet. Now, I really thought that depth was relative, isn't it? Are my conclusions correct? Or did I get anything wrong? Thanks a lot Peter -- Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule creation: content keyword mosquitooth (Feb 06)
- Re: Rule creation: content keyword Frank Knobbe (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 06)
- Re: Rule creation: content keyword Edin Dizdarevic (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 07)
- Re: Rule creation: content keyword Matt Kettler (Feb 07)
- Finding rules for internal network sEc nErD (Feb 07)
- Re: Finding rules for internal network James Riden (Feb 07)
- Re: Finding rules for internal network Matt Kettler (Feb 07)
- Finding rules for internal network sEc nErD (Feb 07)
- <Possible follow-ups>
- RE: Rule creation: content keyword Basselgia, Barry A Mr (NAF Atsugi) (Feb 06)