[Oisf-users] distance, uricontent

[Geoff Whittington]

Hello,

Can someone confirm whether there was a decision about the
interpretation of uricontent as a "pattern match"? i.e.

uricontent:"BAAD"; uricontent:"FOOD"; distance:0;

According to snort:

"The distance keyword allows the rule writer to specify how far into a
packet Snort should
ignore before starting to search for the specified pattern relative to
the end of the previous
pattern match."

Cheers,
 - Geoff