[Snort-sigs] Offset

Joel Esler (jesler) jesler at ...3865...
Fri Jul 1 14:01:15 EDT 2016


However, the answer is yes.  Offset will always start from the beginning of the data portion of the packet.  So, you can go back to the beginning of the packet if you need to, but you should try to avoid it, for speed.


--
Joel Esler
Manager, Talos Group




> On Jun 30, 2016, at 10:59 AM, Al Lewis (allewi) <allewi at ...3865...> wrote:
> 
> 
> I think Joel has given a good explanation here: http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
> 
> 
> 
> Albert Lewis
> QA SNORT/Sourcefire
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Email: allewi at ...3865...
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 6/30/16, 10:09 AM, "Fincham, Greg L. CTN2" <gfincham at ...4163...> wrote:
> 
>> Can you use the "Offset" modifier twice in the same signature?
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160701/7b5f1597/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160701/7b5f1597/attachment.sig>


More information about the Snort-sigs mailing list