[Snort-devel] ACK. Re: [Snort-users] version.bind (part of t he problem) (fwd)
fygrave at ...1...
Sat Feb 10 12:57:44 EST 2001
On Fri, Feb 09, 2001 at 10:54:09AM -0600, Steve Halligan wrote:
> Just a question of clarification. Through all of this debate we have been
> talking about the depth flag. Has everyone been keeping the offset at 12 in
> all the rules? If not (say they didn't have an offset at all), we are
> talking about totally different parts of the packet.
> Depth 18/Offset 12 = bytes 12-30
> Depth 32/Offset 12 = bytes 12-44
> Depth 32/No Offset = bytes 0-32
> Depth 18/No Offset = bytes 0-18
> Another question. Does the entire content match have to fall within the
> range described by depth and offset or just part of it? Does offset
> basically describe where the content starts and depth is for how long the
> content is?
Offset says where to start looking from, depth says how deep into the packet you should go...
More information about the Snort-devel