[Snort-users] Snort binary search

Matt Kettler mkettler at ...4108...
Fri Feb 11 14:21:48 EST 2005

At 05:07 PM 2/11/2005, mosquitooth at ...158... wrote:
>some trivial (nethertheless important) question: When I do search for a
>given pattern in a snort rule - does the search start at the beginning of
>the payload (AFTER all the eth/ip/tcp/udp/... headers) or right at the
>beginning: byte 1 (of the ethernet header) that was sent on the wire?

IIRC the content checks start right after the end of the header for 
whatever the rule type is.

Thus, content checks on "ip" rules start at the end of the IP header. 
Content checks on "tcp" rules start at the end of the TCP header.

This is a subtle difference from "after the headers" because ip rules will 
still see tcp packets and will see the tcp headers as part of the "content".

More information about the Snort-users mailing list