[Snort-users] Depth vs. offset in rules

Research research at ...17107...
Tue Mar 3 11:39:35 EST 2015


Hi,

In reading chapter 3 of the Snort 2.9.7.0 manual, I have a clarification question for the use of “depth” vs. “offset”.

Depth appears to specify where to start a content match in the packet payload, so if I understand correctly:

	depth:5;

…would mean begin content matching 5 bytes into the packet payload.

When compared to offset, does that mean offset relative to the depth ?  So:

	depth:5; offset:10; …

…means start at byte 5 in the packet payload and an offset from the depth as a starting location of another 10 bytes ?  I am thinking that is correct because I note that offset can have negative values and a negative starting point for a packet payload would not make sense, but as an offset it would.

Thanks



More information about the Snort-users mailing list