[Snort-sigs] Understanding content rules
alex.kirk at ...435...
Thu Aug 5 05:43:03 EDT 2004
That's a good question, and is part of the reason I'm actually starting
to work on improving the online documentation (I'm new here at
Sourcefire in the last 3 months, and am only now in a good position to
write proper documentation).
Your second interpretation is indeed correct -- offset and depth are
designed to work together, and the count for depth starts from the end
of offset. There's actually something called the doe_ptr (a concept that
will be going in the Snort FAQ once I have it fully fleshed out) that
acts as a sort of a placemarker for where you are in the packet. Thus,
if "x" is your doe_ptr, your packet looks like this at the start of
When you use offset:2, the packet looks like this:
Specifying the depth:5 means your packet will never get beyond this point:
Thus, if you used this rule (keeping in mind that any any rules are
usually more overhead than they're worth, but are less annoying to type):
alert tcp any any -> any any (msg:"Test Rule"; content:"jkl"; offset:2;
you'd never get a match, even though "jkl" are present in the packet.
Hoepfully that makes sense; feel free to ask for any clarification
>I think I've misunderstood how the various specifiers for the content
>field of a snort rule work and I'm looking for some clarification.
>I've looked at Syngress "Snort 2.1" book and at the documentation
>but I have yet to find anything which sufficiently concrete.
>Given a rule like this (deliberately chosen to be slightly confusing):
> content:"abc"; offset:2; depth:5;
>Reading the documentation listed above, it is unclear whether the
>above rule matches a kind of packet like:
>or any of the packets like:
>On the web page referenced above, the offset and depth specifiers
>are documented as:
> modifier for the content option, sets the offset to begin
> attempting a pattern match
> modifier for the content option, sets the maximum search
> depth for a pattern match attempt
>The problem here is that there is no indication of where the depth
>specifier's count begins. If one were just reading the documentation
>one might reasonably assume that it is the start of the packet (and
>hence only a single match), but comparison with existing snort rules
>suggests that the depth specifier is anchored at the byte indexed
>by the offset specifier.
>If the second interpretation is correct, then maybe the documentation
>for the depth could be updated to something like:
> Modifier for the content option, sets the maximum search
> depth for a pattern match attempt. The depth is measured
> from the byte index given by the offset specifier.
More information about the Snort-sigs