[Snort-sigs] Understanding content rules

Erik de Castro Lopo erikd+snort at ...2555...
Wed Aug 4 18:19:48 EDT 2004

Hi all,

I think I've misunderstood how the various specifiers for the content
field of a snort rule work and I'm looking for some clarification.
I've looked at Syngress "Snort 2.1" book and at the documentation


but I have yet to find anything which sufficiently concrete.

Given a rule like this (deliberately chosen to be slightly confusing):

    content:"abc"; offset:2; depth:5;

Reading the documentation listed above, it is unclear whether the
above rule matches a kind of packet like:


or any of the packets like:


On the web page referenced above, the offset and depth specifiers
are documented as:

         modifier for the content option, sets the offset to begin 
         attempting a pattern match
         modifier for the content option, sets the maximum search 
         depth for a pattern match attempt

The problem here is that there is no indication of where the depth 
specifier's count begins. If one were just reading the documentation
one might reasonably assume that it is the start of the packet (and
hence only a single match), but comparison with existing snort rules
suggests that the depth specifier is anchored at the byte indexed
by the offset specifier.

If the second interpretation is correct, then maybe the documentation
for the depth could be updated to something like:

         Modifier for the content option, sets the maximum search 
         depth for a pattern match attempt. The depth is measured 
         from the byte index given by the offset specifier.

[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo at ...2555...
[W] http://www.sensorynetworks.com
[T] +61 2 83022726 
[F] +61 2 94750316 
[A] L4/140 William St, East Sydney NSW 2011, Australia
A good debugger is no substitute for a good test suite.

More information about the Snort-sigs mailing list