[Snort-devel] (no subject)

Peter Schmitz mosquitooth at ...224...
Tue Dec 26 11:30:08 EST 2006


I'm currently struggeling through snort code and rules to fully understand the system. When I came across the keyword byte_jump, I - unfortunately - didn't understand something: 

In the latest snort documentation it says, that byte_jump would set a doe_ptr to another destination (depending on the rule). Now, what does this pointer really point to? Is this a position in the payload? Does that mean, that if I jump some bytes all later checking for content keywords will take place after the destination doe_ptr now (after executing byte_jump) points to? 

If I - for example - would begin a rule like this: 

content:"|00 00 00 01|"; offset:16; depth:4; 

First, I'd jump some bytes (depending on the packet real payload) - then I'd search for some specific content. If this content could be found in the bytes I just skipped by byte_jump - will this content be found? 

Another thing are the several pointers:

What do base_ptr, doe_ptr, start_ptr, end_ptr really point to?

By the way, there are several keywords for the byte_jump keyword itself, esp. from_beginning and relative...isn't this superficial? Isn't relative == !from_beginning ?

I know that some of my questions seem (and probably are) trivial, but I really want to understand and if someone could help me out I'd be really grateful :)

Thanks for any help on this matter, 


Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

More information about the Snort-devel mailing list