[Snort-users] align option of byte_jump

Martin Hofmeister mhofmeister at ...7039...
Thu Sep 4 12:24:36 EDT 2003


Could someone please help me understand the exact use of the align option of the byte_jump feature.  Here's how byte_jump looks:

  byte_jump: <bytes_to_convert>, <offset> [, [relative], [big], [little], [string], [hex], [dec], [oct], [align]]

According to the documentation, align rounds the number of converted bytes up to the next 32-bit boundry.  I am confused by the example given in the documention which looks as follows:

alert udp any any -> any 32770:34000 (content: "| 00 01 86 B8 |"; \
                    content: "| 00 00 00 01|"; distance: 4; within: 4; \
                    byte_jump: 4, 12, relative, align; \
                    byte_test: 4, >, 900, 20, relative; \
                    msg: "statd format string buffer overflow";)

The byte_jump has specified 4 bytes to convert, so why would we need the "align" option in this example since we are already converting 32 bits (4 bytes)?

If anyone can explain this option to me I would really appreciate it.

Thanks,

Martin Hofmeister




More information about the Snort-users mailing list