[Snort-devel] Isdataat's 'rawbytes' parameter

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Wed Aug 18 21:08:17 EDT 2010

Hi -devel,

Looking through Snort's sourcecode, I've noticed an undocumented
parameter to the 'isdataat' rule option, "rawbytes".

Per src/detection-plugins/sp_isdataat.c:

Line 27
 * Arguments:
 *    <int>         byte location to check if there is data
 *    ["relative"]  look for byte location relative to the end of the
 *                  pattern match
 *    ["rawbytes"]  force use of the non-normalized buffer.

Line 255
        else if(!strcasecmp(cptr, "rawbytes"))
            /* the offset is to be applied to the non-normalized buffer
            idx->flags |= ISDATAAT_RAWBYTES_FLAG;

Line 302
     if (isdata->flags & ISDATAAT_RAWBYTES_FLAG)
        /* Rawbytes specified, force use of that buffer */
        dsize = p->dsize;
        start_ptr = p->data;
                    "Using RAWBYTES buffer!\n"););

This option is not mentioned in any Snort documentation or SourceFire
documentation (I checked 2.8.6 and 2.9.0-beta's manuals, plus the SF
System Analyst guide for 4.9.1).

Can we look at getting this mentioned so rule writers can make use of
it?  Does the use of the rawbytes parameter to isdataat introduce any
constraints with other rule options?  Is it compatible with the relative

Also, can someone alert the SourceFire documentation people to its
existence as well?



More information about the Snort-devel mailing list