[Snort-users] Snort binary search
mkettler at ...4108...
Fri Feb 11 14:21:48 EST 2005
At 05:07 PM 2/11/2005, mosquitooth at ...158... wrote:
>some trivial (nethertheless important) question: When I do search for a
>given pattern in a snort rule - does the search start at the beginning of
>the payload (AFTER all the eth/ip/tcp/udp/... headers) or right at the
>beginning: byte 1 (of the ethernet header) that was sent on the wire?
IIRC the content checks start right after the end of the header for
whatever the rule type is.
Thus, content checks on "ip" rules start at the end of the IP header.
Content checks on "tcp" rules start at the end of the TCP header.
This is a subtle difference from "after the headers" because ip rules will
still see tcp packets and will see the tcp headers as part of the "content".
More information about the Snort-users