[Snort-devel] ACK. Re: [Snort-users] version.bind (part of the problem) (fwd)

Martin Roesch roesch at ...48...
Fri Feb 9 12:15:02 EST 2001


Correct, no offset = 0.  The code looks like this:

found = (idx->search((char *)(p->data+idx->offset), 
                     sub_depth,idx->pattern_buf,
                     idx->pattern_size, idx->skip_stride, 
                     idx->shift_stride) ^ idx->exception_flag);

Note the first argument to the function, p->data+idx->offset.  The value
is set to the current pointer position + "offset".  If offset it set to
12, that means we start


02/09-15:52:13.036910 62.181.128.1:63840 -> 62.159.219.82:53
UDP TTL:248 TOS:0x0 ID:53263 IpLen:20 DgmLen:58 DF
Len: 38
00 06 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
                                    ^^
                                   here


Dig it? :)

   -Marty


Max Vision wrote:
> 
> Correct me if I'm wrong, but if "no offset" is 0, then offset 12 is
> starting at byte 13. I took this into account in making the rule though as
> it shouldn't affect detection either way.
> If my above logic is wrong, then offsets zero and one are the same...
> Max
> 
> On Fri, 9 Feb 2001, Steve Halligan wrote:
> > Just a question of clarification.  Through all of this debate we have been
> > talking about the depth flag.  Has everyone been keeping the offset at 12 in
> > all the rules?  If not (say they didn't have an offset at all), we are
> > talking about totally different parts of the packet.
> > Depth 18/Offset 12 = bytes 12-30
> > Depth 32/Offset 12 = bytes 12-44
> > Depth 32/No Offset = bytes 0-32
> > Depth 18/No Offset = bytes 0-18
> >
> > Another question.  Does the entire content match have to fall within the
> > range described by depth and offset or just part of it?  Does offset
> > basically describe where the content starts and depth is for how long the
> > content is?
> >
> > -Steve
> >
> > > On Thu, Feb 08, 2001 at 03:52:41PM -0800, Max Vision wrote:
> > > > Ok I am stumped.  The depth:18; tag shouldn't even work!
> > > The version.bind
> > > > string goes about 25 bytes into the packet...
> > > >
> > > > Something is definately broken.  Additionally, I may be
> > > confused about the
> > > > nature of depth (I thought depth 18 would only consiuder
> > > bytes 0-18), but
> > > > even if I'm confused, something is still broken as
> > > depth:26; isn't working
> > > > for some people.
> > > >
> > > > help?
> > > >
> > >
> > >
> > > there seems to be something wrong here.. people report that
> > > depth: 32 doesn't work
> > > for them while depth: 18, but depth: 32 actually includes
> > > depth: 18.. smells very fishy... lemme play with that too :)
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> >
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list