[Snort-sigs] Matching question

bmc at ...95... bmc at ...95...
Tue Jul 19 06:40:52 EDT 2005


On Tue, Jul 19, 2005 at 08:17:00AM -0500, Ron wrote:
> Does "distance" mean absolute relative distance?

No.

    distance = relative offset
    within = relative depth

> Here are a couple examples of packets (I'm going to mix hex and
> ascii where it's easier:
> 
> "|FF 51 09 00 01 00 00 00 00|"
> "|FF 51 11 00 01 00 00 00|error text|00|"

To match the first 2 bytes, skip one byte, then match 4 bytes, you can
do that in to different ways.

Normally:
    content:"|FF 51|"; depth:2; content:"|01 00 00 00|"; offset:4; 
    depth:4;

Via relative:
    content:"|FF 51|"; depth:2; content:"|01 00 00 00|"; distance:1;
    within:4;


Its really up to you which you choose.  I prefer relative, but mostly
due to having to deal layers upon layers of protocols.  If the rules
are relative, than I only have to maintain one set of distances.

Brian




More information about the Snort-sigs mailing list