Quick Question.

[Chris Keladis <Chris.Keladis () cmc optus net au>]

Hi folks,

I'm seeking some clarification on the 'content' rule option, that the 
docs didn't clarify for me.

In Snort 1.9.1, i've noticed in some rules, in their content option, 
match multiple hex values. Eg, content:"|00|4141|" etc etc.

Am i correct in assuming a rule with the content option above, will 
trigger only if byte 00 preceeds concurrent bytes 4141, and 00 can occur 
anywhere before the concurrent 4141 bytes, to get a match?

I suspect the above is true, which leads me to my next question, is 
there currently any way to 'anchor' bytes, and only match say, if the 
first byte == 0x00, and i can match 4141 anywhere else in the packet? 
(sort of like a regex for bytes rather than characters).

I'm not intimately familiar with the Boyer-Moore pattern matching the 
Snort docs cite, so i would appreciate if someone could kindly clarify 
this for me.




Thanks,

Chris.



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users