[Intrusions] LOGS: GIAC GCIA Version 3.5 PracticalDetect DarinMarais

[lola marais]

you wrote
>In your text you explain the above. However, the snort rule shown has this 
>:
>
>isdataat:6,relative;
>
>The relative keyword is optional, and consequentaly, your answer above 
>could be misleading.

Steven, Thank you very much for your question and bringing my attention to 
the ambiguity. I do agree that the question I have chosen is mis-leading 
without actually specifying the optional word of "relative".

The relative word binds the "isdataat" statement to the to the end of the 
previous content match and is therefore very important in determining the 
answer. It causes the rule to begin looking x bytes from the end of that 
content string.

So to summarise if you need the rule to look for a specific condition, for 
instance make sure that there are no b’s, x bytes from the end of the 
content match of a, you could use the following condition.

content:"a";  isdataat:x,relative; content:! "b";

I will amend the question to reflect
When writing snort signatures for content matching, the parameter 
"isdataat:x,relative;" is used to indicate to the snort process to:

rgs

_________________________________________________________________
Get 35 custom filters to manage your e-mail - CLICK! 
http://join.msn.com/?pgmarket=en-xe