distance Keyword
**distance** indicates that the matching starts after a certain number of bytes are offset after the previous feature string is matched. Example: > PAYLOAD: > > <font color = green>ABCD</font>EFG<font color = "red">**H**</font>**IJK**LMN > > ↑ The start position of "H" is an offset of 3 bytes after matching **ABCD**, that is, distance:3. Matching conditions: ``` content: "ABCD"; content: "HIJK"; distance:3; Matched content: "ABCD"; content: "GHIJ"; distance:3; Not matched content: "ABCD"; content: "JKLM"; distance:3; Matched ``` The **distance** modifier is used with the **within** modifier. That is, the character string of the **within** depth is matched after the offset of the **distance** depth after the end position of the previous content is matched. Example: > PAYLOAD: > > <font color = green>ABCD</font>EFG<font color = blue><font color = "red">**H**</font>**IJK**</font>LMN > > ↑ The start position of "H" is an offset of 3 bytes after matching **ABCD**, that is, distance:3. > > ↑--↑ Offset to the position specified by **distance**, and then use 4 bytes to match, that is, within:4. Matching conditions: ``` content: "ABCD"; content: "HIJK"; distance:3; within:4; Matched ``` For the preceding rule, after the feature string **ABCD** is matched, 4 bytes after an offset of 3 bytes are used to match the **HIJK** feature string. The rule can be matched.