Permitted Combinations: content Search Location Arguments
You can use either of two
content location pairs to specify where to begin
searching for the specified content and how far to continue searching, as
follows:
-
Use Offset and Depth together to search relative to the beginning of the packet payload.
-
Use Distance and Within together to search relative to the current search location.
When you specify only one of a pair, the default for the other option in the pair is assumed.
You cannot mix the Offset and Depth options with the Distance and Within options. For example, you cannot pair Offset and Within. You can use any number of location options in a rule.
When no location is specified, the defaults for Offset and Depth are assumed; that is, the content search starts at the beginning of the packet payload and continues to the end of the packet.
You can also use an existing
byte_extract variable to specify the value for a
location option.
Tip | You can use any number of location options in a rule. |