Question on the relationship between byte_jump and content options

[Tyler Smith <tyler.smith () adventiumlabs com>]

Is the behavior of the ‘content' option affected by ‘byte_jump' options before or after it in a rule?

The content manual page doesn’t list byte_jump as one of the available content modifiers, but some rules (e.g., sid 
30777) appear to be written with an assumption that different content will be found following a byte_jump:

LEFT  RULE: alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
    (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt”;
    flow:to_client,established;
    content:"|16 03 00|”;
    byte_jump:2,0,relative;
    content:"|18 03 00|”;
       within:3; fast_pattern;
    byte_test:2,>,128,0,relative;
    metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl;
    reference:cve,2014-0160;
    classtype:attempted-recon;
    sid:30777;
    rev:3;)

Thanks,
Tyler

P.S. Documentation I’m referring to: http://manual.snort.org/node32.html#SECTION00451300000000000000

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!