[Snort-devel] ACK. Re: [Snort-users] version.bind (part of t he problem) (fwd)
vision at ...195...
Fri Feb 9 12:03:25 EST 2001
Correct me if I'm wrong, but if "no offset" is 0, then offset 12 is
starting at byte 13. I took this into account in making the rule though as
it shouldn't affect detection either way.
If my above logic is wrong, then offsets zero and one are the same...
On Fri, 9 Feb 2001, Steve Halligan wrote:
> Just a question of clarification. Through all of this debate we have been
> talking about the depth flag. Has everyone been keeping the offset at 12 in
> all the rules? If not (say they didn't have an offset at all), we are
> talking about totally different parts of the packet.
> Depth 18/Offset 12 = bytes 12-30
> Depth 32/Offset 12 = bytes 12-44
> Depth 32/No Offset = bytes 0-32
> Depth 18/No Offset = bytes 0-18
> Another question. Does the entire content match have to fall within the
> range described by depth and offset or just part of it? Does offset
> basically describe where the content starts and depth is for how long the
> content is?
> > On Thu, Feb 08, 2001 at 03:52:41PM -0800, Max Vision wrote:
> > > Ok I am stumped. The depth:18; tag shouldn't even work!
> > The version.bind
> > > string goes about 25 bytes into the packet...
> > >
> > > Something is definately broken. Additionally, I may be
> > confused about the
> > > nature of depth (I thought depth 18 would only consiuder
> > bytes 0-18), but
> > > even if I'm confused, something is still broken as
> > depth:26; isn't working
> > > for some people.
> > >
> > > help?
> > >
> > there seems to be something wrong here.. people report that
> > depth: 32 doesn't work
> > for them while depth: 18, but depth: 32 actually includes
> > depth: 18.. smells very fishy... lemme play with that too :)
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
More information about the Snort-devel