Examples

This example uses two variables to:

• Read the offset of a string from a byte at offset 0.
• Read the depth of a string from a byte at offset 1.
• Use these values to constrain a pattern match to a smaller area.

    alert tcp any any -> any any (byte_extract:1, 0, str_offset; \
        byte_extract:1, 1, str_depth; \
        content:"bad stuff"; offset:str_offset; depth:str_depth; \
        msg:"Bad Stuff detected within field";)