Azinix

Rlp_WithinAttribute_t Struct Reference

The within keyword is a content modifier that makes sure that at least N bytes are between pattern matches. More...

#include <rlp.h>


Data Fields

int within


Detailed Description

The within keyword is a content modifier that makes sure that at least N bytes are between pattern matches.

The within keyword is a content modifier that makes sure that atleast N bytes are between pattern matches.

It's designed to be used in conjunction with the distance rule option. The rule listed below contrains the search to not go past 10 bytes past the ABCDE match.

alert tcp any any -> any any (content: "2 Patterns"; content: "ABCDE"; content: "EFGH"; within: 10;)

The within tells the matching to look for an EFGH starting no more than 10 bytes after the first char of the ABCDE.

With nested withins e.g., foo W bar W xyz, the semantics is that on a foo, if a bar is matched then the overall match holds just in case the xyz matches on the FIRST matched bar; if it doesn't then we don;t go further till the within range.

Definition at line 1030 of file rlp.h.


Field Documentation

int Rlp_WithinAttribute_t::within

Definition at line 1032 of file rlp.h.