Re: [Snort-users] Rule creation: content keyword

This is a discussion on Re: [Snort-users] Rule creation: content keyword within the Snort forums, part of the System Security and Security Related category; Hi again, thanks for all your answers! Just to check if I got everything right: - When more than one "...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] Rule creation: content keyword

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-07-2005
mosquitooth@gmx.net
 
Posts: n/a
Default Re: [Snort-users] Rule creation: content keyword
Hi again,

thanks for all your answers! Just to check if I got everything right:

- When more than one "content" keyword is specified, the additional are
relative towards each other. So, the start for the search of the second
pattern starts at the last byte of the first matching pattern in the
payload.

- Now, different keywords can be added:

depth: Sets the max number of bytes in which is searched for the pattern,
relative to the last matching pattern (if one exists) and to a given
"offset" (e.g. offset: 4;depth:20; -> 'search for the pattern in 20 bytes,
starting at byte 5).

offset: sets the number of bytes to ignore in the payload. This is an
absolute value, so counting always starts at byte 1 of the payload. (correct
?)

distance: specifies the number of bytes to ignore (!) between two matching
pattern. Can't see the relationship to depth mentioned in the snort manual:
this specifies a number of bytes to IGNORE, but depth specifies the number
of bytes the search uses. By the way, the statement:

This can be thought of as exactly the same thing as depth (See Section ??),
except it is relative to the end of the last pattern match instead of the
beginning of the packet.

Now, I really thought that depth was relative, isn't it?

Are my conclusions correct? Or did I get anything wrong?

Thanks a lot
Peter

--
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:53 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0