Dirk_Geschke at ...2049...
Mon Dec 15 04:50:02 EST 2003
> The offset keyword starts searching from the beginning of the payload.
> check out - http://www.snort.org/docs/writing_rules/
the question is which payload...
Does it start with the ethernet header, aka MAC addresses, the
IP header, the TCP/UDP header or the payload of TCP/UDP.
I think it is relative to the payload of the alert type,
eg. on "alert tcp" it is ment to be relative to the TCP
payload, you don't access the TCP header with this rule.
(Otherwise most rules won't make any sense...)
More information about the Snort-sigs