Snort mailing list archives

RE: Rule creation: content keyword

From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Mon, 7 Feb 2005 09:08:59 +0900

The content modifier keywords control how multiple content: statements
relate to each other.

For example:

depth is relative to the beginning of the payload.
distance is relative to the end of the last pattern match.

This is explained in the snort_manual that comes with the source.

Barry


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of
mosquitooth () gmx net
Sent: Monday, February 07, 2005 4:14 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Rule creation: content keyword


Hi,

just one question: If I specify more than one "content:"[x]"" keyword in a
snort rule - are these content patterns relative towards each other? If so,
where does a new search for e.g. the second pattern start? At the last byte
of the last (e.g. first) successful match?


Thanks if someone can enlight me,

Peter

-- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule creation: content keyword mosquitooth (Feb 06)
- Re: Rule creation: content keyword Frank Knobbe (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 06)
  - Re: Rule creation: content keyword Edin Dizdarevic (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 07)
- Re: Rule creation: content keyword Matt Kettler (Feb 07)
  - Finding rules for internal network sEc nErD (Feb 07)
    - Re: Finding rules for internal network James Riden (Feb 07)
    - Re: Finding rules for internal network Matt Kettler (Feb 07)
- <Possible follow-ups>
- RE: Rule creation: content keyword Basselgia, Barry A Mr (NAF Atsugi) (Feb 06)