Is 'within' affected by 'distance'?

shyang · September 7, 2021, 8:34am

According to the manual, ‘within’ is not affected by ‘distance’.
The position of ‘within’ is constant regardless of the value of ‘distance’.
https://suricata.readthedocs.io/en/suricata-6.0.1/rules/payload-keywords.html#within

However, if you actually test it, it will be affected.
It is detected when distance is 2 and within is 4, but is not detected when distance is 0 and within is 4.

for example,
ETOpen rule #2000332

alert tcp any any → any 4660:4799 (msg:“ET P2P ed2k request part”; flow: to_server,established; content:“|e3|”; offset: 1; content:“|00 00 00 47|”; distance: 2; within: 4; classtype:policy-violation; sid:2000332; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Which one is right? manual or test result?

Andreas_Herz · September 7, 2021, 8:31pm

Can you share the pcap for this test as well?

Topic		Replies	Views
Some match bypass? Rules rules	27	1757	September 17, 2021
Rule data size question Rules rules , suricata	2	427	March 16, 2023
Different behaviour between byte_test and content when using flowbits Help	0	531	May 11, 2021
How to use suricata key_word stream_size? Rules	6	1043	January 11, 2022
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	667	June 8, 2023

Is 'within' affected by 'distance'?

Related Topics