Snort mailing list archives

Previous By Date Next
Previous By Thread Next

byte_test and relative

From: Praveen D <praveend.hac () gmail com>
Date: Wed, 14 Jan 2015 15:28:19 +0530
Hi,

In byte_test, relative is mentioned as "Use an offset relative to last
pattern match".
Please confirm if the pattern match is relative to "content:" or "pcre:" or
both.

*41 42 43 44 . . . .  10 . . . . . 31 32        ABCD . . . .  . . . . . . 1
2*

content:"ABCD"; byte_test:1,=,0x10,offset:4,relative;
pcre:"/ABCD/"; byte_test:1,=,0x10,offset:4,relative;

Will both content/pcre work?

Best Regards,
Praveen Darshanam

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: