[Snort-sigs] Negative offset?
Joel Esler (jesler)
jesler at ...3865...
Fri Mar 6 16:25:13 EST 2015
On Mar 3, 2015, at 2:06 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...<mailto:l0rdch0de1m0rt at ...2420...>> wrote:
In our thread from the other day (http://seclists.org/snort/2010/q2/838) you said:
On Thu, Jun 10, 2010 at 11:20 AM, Joel Esler <jesler at ...435...<mailto:jesler at ...435...>> wrote:
Plus with distance, you can do negative relativity, you can't do that with offset. Just FYI.
This makes sense but the Snort manual says offset can be give a value -65535 to 655535. And while Snort does not throw an error with a negative offset, I cant seem to think of how a negative offset would work. I thought maybe it would start from the end of the packet and go backwards (kind of like python list indexing) but my tests don't show this. Any insight is appreciated.
I just commented in another thread that we are thinking about this as far as a use case.
Open Source Manager
Threat Intelligence Team Lead
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs