[Snort-devel] ACK. Re: [Snort-users] version.bind (part of t he problem) (fwd)

Steve Halligan agent33 at ...269...
Fri Feb 9 11:54:09 EST 2001


Just a question of clarification.  Through all of this debate we have been
talking about the depth flag.  Has everyone been keeping the offset at 12 in
all the rules?  If not (say they didn't have an offset at all), we are
talking about totally different parts of the packet.
Depth 18/Offset 12 = bytes 12-30
Depth 32/Offset 12 = bytes 12-44
Depth 32/No Offset = bytes 0-32
Depth 18/No Offset = bytes 0-18

Another question.  Does the entire content match have to fall within the
range described by depth and offset or just part of it?  Does offset
basically describe where the content starts and depth is for how long the
content is?

-Steve

> On Thu, Feb 08, 2001 at 03:52:41PM -0800, Max Vision wrote:
> > Ok I am stumped.  The depth:18; tag shouldn't even work!  
> The version.bind
> > string goes about 25 bytes into the packet...
> > 
> > Something is definately broken.  Additionally, I may be 
> confused about the
> > nature of depth (I thought depth 18 would only consiuder 
> bytes 0-18), but
> > even if I'm confused, something is still broken as 
> depth:26; isn't working
> > for some people.
> > 
> > help?
> > 
> 
> 
> there seems to be something wrong here.. people report that 
> depth: 32 doesn't work
> for them while depth: 18, but depth: 32 actually includes 
> depth: 18.. smells very fishy... lemme play with that too :)
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010209/2c8e475c/attachment.html>


More information about the Snort-devel mailing list