No need for content modifier 'within'

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

Hello.  Not trying to beat a dead horse here but I was reading
http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
and came to a part where it said, "Offset goes with Depth, distance
goes with within.  Don’t mix them."  I'm not sure I agree with this
and I'm not much of an Blogger/Internet Exhibitionist so I'm posting
this here.

We all know, offset tells Snort how far into the payload (starting
from the beginning of the payload) to start looking for a content
match.  Distance tells Snort how far into the payload (starting from
the previous content match) to start looking for a content match.
Depth *and* within tell Snort where to stop looking based on where it
started looking.  So you can have distance and use depth if you want
and it is perfectly OK to do this.  Do not be afraid.  The only reason
within exists is so if you have a situation where you don't use
distance but want to make sure no more than N bytes are between
content matches.  But within isn't really necessary. In fact, we could
get rid of within in the case described and just add distance:0; and
use depth.

Hope this helps clarify a few things about the within content modifier.

Cheers,

-L0rd Ch0de1m0rt

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs