[Snort-users] "uricontent" and "offset" notion

Intru Defender intrusec at ...3390...
Tue Dec 20 17:31:05 EST 2005


Hi All,
I need a little clarification about "offset" modifier notation in conjuction with "uricontent" keyword. Does Snort treats "offset" differently in case of "uricontent" keyword.

In case of "uricontent" keyword, does snort treats "offset:0" from the start of URI, and not from the start of the payload.

The snort manual says that the "offset" tells how many bytes to skip before starting looking for the specified "content" keyword and "offset" is calculated from the start of payload.

For example: 
content: ".html"; offset:4; would mean start looking for ".html" after 4 bytes.

However, in case of "uricontent" keyword

Will uricontent: ".html"; offset:0; depth:5; would mean start looking for start of URI and in next 5 characters. Or it will mean, start looking for ".html" in first 5 bytes of payload.


Any help will be appricated.

Thanks,

-IntruSec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051220/f66dc560/attachment.html>


More information about the Snort-users mailing list