[Snort-devel] Interpretation of "offset" in context of "uricontent" keyword

Intru Defender intrusec at ...1780...
Sat Jan 7 12:55:04 EST 2006

Hi All,
I am reposting this question in the hope of getting some replies:

I need a little clarification about interpretation of "offset" modifier in conjuction with "uricontent" keyword. 

Does Snort treats "offset" differently in case of "uricontent" keyword?

Does in case of "uricontent" keyword, snort treat "offset:0" from the start of URI, and, not from the start of the payload?

The snort manual says that the "offset" tells how many bytes to skip before starting looking for the specified "content" keyword and "offset" is calculated from the start of payload. For example: 

content: ".html"; offset:4; would mean start looking for ".html" after 4 bytes.

However, in case of "uricontent" keyword, will uricontent: ".html"; offset:0; depth:5; would mean start looking for start of URI and in next 5 characters? Or it will mean, start looking for ".html" in first 5 bytes of payload.

Any help will be highly appricated.


Intru Defender
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060107/ff40edfc/attachment.html>

More information about the Snort-devel mailing list