Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [Snort-sigs] Depth and multi content rule help.

From: SRH-Lists <giermo () 333tech com>
Date: Tue, 17 Jun 2003 13:53:03 -0500


Hello,

If I have a rule with three pattern matches in it
and I want to limit the search depth for just one 
of the content searches, but I want the other two 
pattern matches to search the whole packet is this possible?
This is an example of what I am trying to do.

alert any any -> any any (msg:"Test" content:"123"; content:"101112";

depth:48; content:"|ff 53 4d 42 a2|";)


Will this work? Or will my depth keyword apply to the all three content

matches?

1)  Don't cross post between the different snort lists.
2)  Depth works just like you want it to, it modifies only the 'content'
keyword immediately proceeding it.
        So in your example only the 'content:"101112;" get modified.

-steve


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: