[Snort-users] Depth vs. offset in rules

Research research at ...17107...
Tue Mar 3 12:02:58 EST 2015


Hi,

I see.  This makes sense to me, except that offset can be a negative number.  So if I specified an offset of -100, wouldn’t that mean to start looking for data 100 bytes *BEFORE* the start of the data section of the packet ?

On Mar 3, 2015, at 11:54 AM, Joel Esler (jesler) <jesler at ...589...> wrote:

> Offset tells Snort how far into the data portion of the packet to start the search.
> 
> 
> Depth tells Snort how far from the offset to stop searching.  (Offset being one specified, or in case one is not specified, from the beginning of the packet payload)
> 
> 
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos Group
> 
> 
>> On Mar 3, 2015, at 11:39 AM, Research <research at ...17107...> wrote:
>> 
>> Hi,
>> 
>> In reading chapter 3 of the Snort 2.9.7.0 manual, I have a clarification question for the use of “depth” vs. “offset”.
>> 
>> Depth appears to specify where to start a content match in the packet payload, so if I understand correctly:
>> 
>> depth:5;
>> 
>> …would mean begin content matching 5 bytes into the packet payload.
>> 
>> When compared to offset, does that mean offset relative to the depth ?  So:
>> 
>> depth:5; offset:10; …
>> 
>> …means start at byte 5 in the packet payload and an offset from the depth as a starting location of another 10 bytes ?  I am thinking that is correct because I note that offset can have negative values and a negative starting point for a packet payload would not make sense, but as an offset it would.
>> 
>> Thanks
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the 
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150303/7f5a8331/attachment.html>


More information about the Snort-users mailing list