Snort mailing list archives

Re: Rule creation: content keyword

From: mosquitooth () gmx net
Date: Mon, 7 Feb 2005 09:25:11 +0100 (MET)

Hi again,

thanks for all your answers! Just to check if I got everything right:

- When more than one "content" keyword is specified, the additional are
relative towards each other. So, the start for the search of the second
pattern starts at the last byte of the first matching pattern in the
payload.

- Now, different keywords can be added:

depth: Sets the max number of bytes in which is searched for the pattern,
relative to the last matching pattern (if one exists) and to a given
"offset" (e.g. offset: 4;depth:20; -> 'search for the pattern in 20 bytes,
starting at byte 5).

offset: sets the number of bytes to ignore in the payload. This is an
absolute value, so counting always starts at byte 1 of the payload. (correct
?)

distance: specifies the number of bytes to ignore (!) between two matching
pattern. Can't see the relationship to depth mentioned in the snort manual:
this specifies a number of bytes to IGNORE, but depth specifies the number
of bytes the search uses. By the way, the statement:

This can be thought of as exactly the same thing as depth (See Section ??),
except it is relative to the end of the last pattern match instead of the
beginning of the packet.

Now, I really thought that depth was relative, isn't it?

Are my conclusions correct? Or did I get anything wrong?

Thanks a lot
Peter

-- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule creation: content keyword mosquitooth (Feb 06)
- Re: Rule creation: content keyword Frank Knobbe (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 06)
  - Re: Rule creation: content keyword Edin Dizdarevic (Feb 06)
- Re: Rule creation: content keyword mosquitooth (Feb 07)
- Re: Rule creation: content keyword Matt Kettler (Feb 07)
  - Finding rules for internal network sEc nErD (Feb 07)
    - Re: Finding rules for internal network James Riden (Feb 07)
    - Re: Finding rules for internal network Matt Kettler (Feb 07)
- <Possible follow-ups>
- RE: Rule creation: content keyword Basselgia, Barry A Mr (NAF Atsugi) (Feb 06)