Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide

Range modifier notes

3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0
Copy Link
Copy Doc ID f21167b4-200c-11e9-b6f6-f8bc1258b856:869861
Download PDF

Range modifier notes

  • The offset, depth, offset_abs, and depth_abs keywords are deprecated. These keywords are still supported in IPS Engine 3.0 in order to maintain backward compatibility.
  • The Snort/PCRE R option is no longer part of our PCRE. Use --distance 0; instead.
  • If you do not use a range modifier with pattern or pcre, matching is done from the beginning to the end of the buffer.
  • If you only use distance or distance_abs with pattern or pcre, matching is done from the location that is relative to the reference specified by <refer> to the end of the buffer.
  • If you only use within or within_abs with pattern or pcre, matching is done from the beginning of the reference specified by <refer> to the end of the buffer.
  • Do not omit the <refer> value or set <refer> to match when performing a pattern search with range modifiers.
  • Exercise caution when combining distance, within, distance_abs, and within_abs for the same pattern or pcre. They should be used in pairs of distance/within and distance_abs/ within_abs, and the <refer> values should be the same.
Previous
Next

Range modifier notes

  • The offset, depth, offset_abs, and depth_abs keywords are deprecated. These keywords are still supported in IPS Engine 3.0 in order to maintain backward compatibility.
  • The Snort/PCRE R option is no longer part of our PCRE. Use --distance 0; instead.
  • If you do not use a range modifier with pattern or pcre, matching is done from the beginning to the end of the buffer.
  • If you only use distance or distance_abs with pattern or pcre, matching is done from the location that is relative to the reference specified by <refer> to the end of the buffer.
  • If you only use within or within_abs with pattern or pcre, matching is done from the beginning of the reference specified by <refer> to the end of the buffer.
  • Do not omit the <refer> value or set <refer> to match when performing a pattern search with range modifiers.
  • Exercise caution when combining distance, within, distance_abs, and within_abs for the same pattern or pcre. They should be used in pairs of distance/within and distance_abs/ within_abs, and the <refer> values should be the same.
Previous
Next