[Snort-devel] ACK. Re: [Snort-users] version.bind (part of t he problem) (fwd)

Fyodor fygrave at ...1...
Sat Feb 10 12:57:44 EST 2001


On Fri, Feb 09, 2001 at 10:54:09AM -0600, Steve Halligan wrote:
> Just a question of clarification.  Through all of this debate we have been
> talking about the depth flag.  Has everyone been keeping the offset at 12 in
> all the rules?  If not (say they didn't have an offset at all), we are
> talking about totally different parts of the packet.
> Depth 18/Offset 12 = bytes 12-30
> Depth 32/Offset 12 = bytes 12-44
> Depth 32/No Offset = bytes 0-32
> Depth 18/No Offset = bytes 0-18
> 
> Another question.  Does the entire content match have to fall within the
> range described by depth and offset or just part of it?  Does offset
> basically describe where the content starts and depth is for how long the
> content is?


Offset says where to start looking from, depth says how deep into the packet you should go...




More information about the Snort-devel mailing list