Understanding within

[James Lay <jlay () slave-tothe-box net>]

No..this isn't a Zen message ;)

Here's what I got...a boatload of eFax Blackhole exploit emails...so I 
thought I'd get some visibility into them with the following:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
possible Blackhole emailing"; flow:to_server, established; file_data; 
content:"<a href=|22|http:"; fast_pattern; pcre:"/\x2f[a-z]{8}\x2f/i"; 
classtype:trojan-activity; sid:10000018; rev:1;)

I'm trying to tighten it down with within:30;, but I can't seem to get 
it to fire when I add it.  My understanding using within is:

content:"bleh"; content:"bleh again"; within:30;

I know I'm missing something (no surprise there), but not sure 
what...any help would uh...help :)  Thanks!

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!