within Keyword
The following describes a pair of modifiers that are similar to **offset** and **depth**: **distance** and **within**. The differences between the two pairs of modifiers are as follows: **offset** and **depth** modify an absolute position, that is, the offset position is relative to the start position of the field, the start position of the TCP/UDP Payload, or the start position of the file content. However, **distance** and **within** modify the relative position, that is, the offset and depth of the matching are determined by the end position of the previous matched detection item. **within** indicates that feature string matching is performed relative to a certain byte depth after the previous feature string is matched. Example: > PAYLOAD: > > <font color = green>ABCD</font><font color = blue>**EFGH**</font>IJKLMN Matching conditions: ``` content: "ABCD"; content: "EFGH"; within:4; Matched content: "ABCD"; content: "FGHI"; within:4; Not matched ``` For the first rule, after the feature string **ABCD** is matched, the **EFGH** string in the following 4 bytes can be matched. For the second rule, after the feature string **ABCD** is matched, the **FGHI** string in the following 4 bytes are not matched.