[Snort-sigs] Negative offset?

Joel Esler (jesler) jesler at ...3865...
Fri Mar 6 16:25:13 EST 2015


On Mar 3, 2015, at 2:06 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...<mailto:l0rdch0de1m0rt at ...2420...>> wrote:

Hey Joel,

In our thread from the other day (http://seclists.org/snort/2010/q2/838) you said:


On Thu, Jun 10, 2010 at 11:20 AM, Joel Esler <jesler at ...435...<mailto:jesler at ...435...>> wrote:


Plus with distance, you can do negative relativity, you can't do that with offset.  Just FYI.





This makes sense but the Snort manual says offset can be give a value -65535 to 655535.  And while Snort does not throw an error with a negative offset, I cant seem to think of how a negative offset would work.  I thought maybe it would start from the end of the packet and go backwards (kind of like python list indexing) but my tests don't show this.  Any insight is appreciated.


I just commented in another thread that we are thinking about this as far as a use case.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150306/bcb0c206/attachment.html>


More information about the Snort-sigs mailing list