[Snort-sigs] Understanding content rules

Alex Kirk alex.kirk at ...435...
Thu Aug 5 05:43:03 EDT 2004


That's a good question, and is part of the reason I'm actually starting 
to work on improving the online documentation (I'm new here at 
Sourcefire in the last 3 months, and am only now in a good position to 
write proper documentation).

Your second interpretation is indeed correct -- offset and depth are 
designed to work together, and the count for depth starts from the end 
of offset. There's actually something called the doe_ptr (a concept that 
will be going in the Snort FAQ once I have it fully fleshed out) that 
acts as a sort of a placemarker for where you are in the packet. Thus, 
if "x" is your doe_ptr, your packet looks like this at the start of 
pattern matching:


When you use offset:2, the packet looks like this:


Specifying the depth:5 means your packet will never get beyond this point:


Thus, if you used this rule (keeping in mind that any any rules are 
usually more overhead than they're worth, but are less annoying to type):

alert tcp any any -> any any (msg:"Test Rule"; content:"jkl"; offset:2; 

you'd never get a match, even though "jkl" are present in the packet.

Hoepfully that makes sense; feel free to ask for any clarification 

Alex Kirk
Research Analyst
Sourcefire, Inc.

>Hi all,
>I think I've misunderstood how the various specifiers for the content
>field of a snort rule work and I'm looking for some clarification.
>I've looked at Syngress "Snort 2.1" book and at the documentation
>    http://www.snort.org/docs/writing_rules/chap2.html
>but I have yet to find anything which sufficiently concrete.
>Given a rule like this (deliberately chosen to be slightly confusing):
>    content:"abc"; offset:2; depth:5;
>Reading the documentation listed above, it is unclear whether the
>above rule matches a kind of packet like:
>    "..abc...."
>or any of the packets like:
>    "..abc...."
>    "...abc..."
>    "....abc.."
>On the web page referenced above, the offset and depth specifiers
>are documented as:
>    offset
>         modifier for the content option, sets the offset to begin 
>         attempting a pattern match
>    depth
>         modifier for the content option, sets the maximum search 
>         depth for a pattern match attempt
>The problem here is that there is no indication of where the depth 
>specifier's count begins. If one were just reading the documentation
>one might reasonably assume that it is the start of the packet (and
>hence only a single match), but comparison with existing snort rules
>suggests that the depth specifier is anchored at the byte indexed
>by the offset specifier.
>If the second interpretation is correct, then maybe the documentation
>for the depth could be updated to something like:
>    depth
>         Modifier for the content option, sets the maximum search 
>         depth for a pattern match attempt. The depth is measured 
>         from the byte index given by the offset specifier.

More information about the Snort-sigs mailing list