Re: Difference between distance and within

[Brian <bmc () snort org>]

On Mon, Apr 28, 2003 at 01:18:08PM -0700, Madhu Joshi wrote:
> Can somebody provide an example of using distance and
> within with *different* values? I have seen couple of
> examples in the FAQ and manual and they use something
> like distance=4; within=4. I am not completely clear
> on the difference between the two, so an example would
> help.  

For the basic understanding, this explanation should help.  

* distance: x;
   start looking for the specified content X bytes from the end of the
   previous content.

   example:
      content:"foo"; content:"bar"; distance:3;

   how it works:
      look for a content of "foo", then skip 3 bytes from the end of
      "foo".  From that location, look for "bar"

* within: x;
   the end of this content must be within X bytes from the end of the
   previous content.

   example:
      content:"foo"; content:"bar"; within:10;

   how it works:
      look for a content of "foo", then look for a content of "bar"
      that occurs within 10 bytes of the end of "foo"

* distance:x; within:y;
   start looking for the specified content X bytes from the end of the 
   previous content and only look for the content within Y bytes from 
   that.

   example:
      content:"foo"; content:"bar"; distance:3; within:3;

   how it works:
      look for a content of "foo", then skip 3 bytes from the end of
      "foo".  From that location, look for "bar" within 3 bytes.


-brian


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users