The within keyword is a content modifier that makes sure that atleast N bytes are between pattern matches.
It's designed to be used in conjunction with the distance rule option. The rule listed below contrains the search to not go past 10 bytes past the ABCDE match.
alert tcp any any -> any any (content: "2 Patterns"; content: "ABCDE"; content: "EFGH"; within: 10;)
The within tells the matching to look for an EFGH starting no more than 10 bytes after the first char of the ABCDE.
With nested withins e.g., foo W bar W xyz, the semantics is that on a foo, if a bar is matched then the overall match holds just in case the xyz matches on the FIRST matched bar; if it doesn't then we don;t go further till the within range.
Definition at line 1030 of file rlp.h.