Re: [Snort-sigs] distance, within, and negated matches

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

Hello.  Thank you Patrick for the response.  One point of clarity and one
thing that I noticed is that non-relative negated content matches seem to
*reset* the pointer so that is something to keep in mind... You should
always put non-relative negated content matches before or after your
relative content matches or it won't work as you expect!

Cheers,

Lord C.


On Sun, Jul 1, 2012 at 4:52 PM, Patrick Mullen <pmullen () sourcefire com>wrote:

> Wow, a flash from the past.  Welcome back.
>
> Negated content matches do not move the cursor, which means any negative
> content match, no matter how many there are, is relative to the last thing
> to move the cursor, whether it be a regular content match, pcre, byte_jump,
> etc.
>
> Cheers,
>
> Patrick
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!