[Snort-users] Depth vs. offset in rules
research at ...17107...
Tue Mar 3 11:39:35 EST 2015
In reading chapter 3 of the Snort 220.127.116.11 manual, I have a clarification question for the use of “depth” vs. “offset”.
Depth appears to specify where to start a content match in the packet payload, so if I understand correctly:
…would mean begin content matching 5 bytes into the packet payload.
When compared to offset, does that mean offset relative to the depth ? So:
depth:5; offset:10; …
…means start at byte 5 in the packet payload and an offset from the depth as a starting location of another 10 bytes ? I am thinking that is correct because I note that offset can have negative values and a negative starting point for a packet payload would not make sense, but as an offset it would.
More information about the Snort-users