Snort mailing list archives

Re: Understanding within

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 15 Aug 2012 13:33:57 -0400

Within says the content it's applied to must be "within" the bytes specified, starting from the end of the last content 
match, or the distance pointer.  The 'data offset end' (or DOE).

You cannot apply content keywords to pcre.

(So, no, you can't do what you are asking)



On Aug 15, 2012, at 1:27 PM, James Lay <jlay () slave-tothe-box net> wrote:

On 2012-08-15 11:19, lists () packetmail net wrote:

On 08/15/12 12:13, James Lay wrote:

I know I'm missing something (no surprise there), but not sure
what...any help would uh...help :)  Thanks!


Check out

http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html

Your within value must also account for the byte size of the content
match itself.

content:"bleh"; content:"bleh again"; within:30;

The above means there can be 20 bytes between "bleh" and "bleh 
again".




Thank you.  A question I have is do we treat pcre as a...."content"?

content:"ick"; pcre:/"bleh"/"; within:30;

saying that there can be 30 bytes between "ick" and "bleh"?  Or how 
does pcre fit in the scheme of content?  Danke :)

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Understanding within James Lay (Aug 15)
- Re: Understanding within lists () packetmail net (Aug 15)
  - Re: Understanding within James Lay (Aug 15)
    - Re: Understanding within Joel Esler (Aug 15)
    - Re: Understanding within lists () packetmail net (Aug 15)
    - Re: Understanding within James Lay (Aug 15)
    - Re: Understanding within lists () packetmail net (Aug 15)
    - Re: Understanding within Joel Esler (Aug 15)
    - Re: Understanding within James Lay (Aug 15)