3.5.10 within

The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword ( See Section #sub:content#4516> ). It's designed to be used in conjunction with the distance (Section #sub:Distance#4517>) rule option.

This keyword allows values greater than or equal to pattern length being searched. The maximum allowed value for this keyword is 65535.

The value can also be set to a string value referencing a variable extracted by the byte_extract keyword in the same rule.

3.5.10.1 Format

verbatim618#

3.5.10.2 Examples

This rule constrains the search of EFG to not go past 10 bytes past the ABC match.

verbatim619#