I was reviewing the examples and noticed that the following example is wrong:
[file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [win-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar'] WITHIN 300 SECONDS
([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [win-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar']) WITHIN 300 SECONDS
The parens are needed to group the two together, otherwise the WITHIN only applies to the registry key test, which does not make any sense.
We did not make an exception for WITHIN to be greedy (that I can see in the spec), so for this to match the text (and without the parens, the WITHIN is meaningless), we need to update the example.
John-Mark