Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » the offset keyword

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

the offset keyword


Posted by shimritd on May 04, 2005 04:33:09

Hi, if the offset keyword appear in one of the patterns in the rule, does it mean that all the patterns after this one will be searched from that offset? or the offset is attached only to that specific pattern.

Thanks

Posted by SamP on May 04, 2005 09:58:36

To keep it simple:

Let's just say some packet payload had
abc123xyz

You can do:
content:"abc"; offset:0; depth:3; \
content:"xyz"; offset:6; depth:3; \

So, the offset/depth options would be used for each pattern match.
Hope that helps.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.