[Snort-devel] (no subject)
mosquitooth at ...224...
Tue Dec 26 11:30:08 EST 2006
I'm currently struggeling through snort code and rules to fully understand the system. When I came across the keyword byte_jump, I - unfortunately - didn't understand something:
In the latest snort documentation it says, that byte_jump would set a doe_ptr to another destination (depending on the rule). Now, what does this pointer really point to? Is this a position in the payload? Does that mean, that if I jump some bytes all later checking for content keywords will take place after the destination doe_ptr now (after executing byte_jump) points to?
If I - for example - would begin a rule like this:
content:"|00 00 00 01|"; offset:16; depth:4;
First, I'd jump some bytes (depending on the packet real payload) - then I'd search for some specific content. If this content could be found in the bytes I just skipped by byte_jump - will this content be found?
Another thing are the several pointers:
What do base_ptr, doe_ptr, start_ptr, end_ptr really point to?
By the way, there are several keywords for the byte_jump keyword itself, esp. from_beginning and relative...isn't this superficial? Isn't relative == !from_beginning ?
I know that some of my questions seem (and probably are) trivial, but I really want to understand and if someone could help me out I'd be really grateful :)
Thanks for any help on this matter,
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
More information about the Snort-devel