Snort mailing list archives

Re: Rule creation: content keyword

From: Frank Knobbe <frank () knobbe us>
Date: Sun, 06 Feb 2005 15:22:16 -0600

On Sun, 2005-02-06 at 20:13 +0100, mosquitooth () gmx net wrote:

just one question: If I specify more than one "content:"[x]"" keyword in a
snort rule - are these content patterns relative towards each other? If so,
where does a new search for e.g. the second pattern start? At the last byte
of the last (e.g. first) successful match?



It's all explained in the Snort Manual at:
http://www.snort.org/docs/snort_manual/


Specifically this section:
http://www.snort.org/docs/snort_manual/node20.html


Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Rule creation: content keyword mosquitooth (Feb 06)
- Re: Rule creation: content keyword Frank Knobbe (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 06)
  - Re: Rule creation: content keyword Edin Dizdarevic (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 07)
- Re: Rule creation: content keyword Matt Kettler (Feb 07)
  - Finding rules for internal network sEc nErD (Feb 07)
    - Re: Finding rules for internal network James Riden (Feb 07)
    - Re: Finding rules for internal network Matt Kettler (Feb 07)
- <Possible follow-ups>
- RE: Rule creation: content keyword Basselgia, Barry A Mr (NAF Atsugi) (Feb 06)