[Snort-sigs] Offset

Martin Olsson elof at ...1288...
Mon Dec 15 01:49:03 EST 2003


Quick question:

Is the "offset" keyword based on the beginning of the frame or the
beginning of the protocol payload?

Example:
Will the following rule start searching for "foo" from point A or B?

content: "foo"; offset: 0;

Frame-hdr  IP-hdr  TCP-hdr  TCP-data  Frame-End
^                           ^
A                           B

/Martin





More information about the Snort-sigs mailing list