[Snort-devel] ACK. Re: [Snort-users] version.bind (part of t he problem) (fwd)

Martin Roesch roesch at ...48...
Sat Feb 10 13:36:39 EST 2001


Fyodor wrote:
> 
> On Fri, Feb 09, 2001 at 10:54:09AM -0600, Steve Halligan wrote:
> > Just a question of clarification.  Through all of this debate we have been
> > talking about the depth flag.  Has everyone been keeping the offset at 12 in
> > all the rules?  If not (say they didn't have an offset at all), we are
> > talking about totally different parts of the packet.
> > Depth 18/Offset 12 = bytes 12-30
> > Depth 32/Offset 12 = bytes 12-44
> > Depth 32/No Offset = bytes 0-32
> > Depth 18/No Offset = bytes 0-18
> >
> > Another question.  Does the entire content match have to fall within the
> > range described by depth and offset or just part of it?  Does offset
> > basically describe where the content starts and depth is for how long the
> > content is?
> 
> Offset says where to start looking from, depth says how deep into the packet you should go...

Actually, depth says how deep into the packet *from the offset* you go. 
This way you can section out specific areas of the payload for
inspection.

     -Marty


--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list