Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort binary search

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 11 Feb 2005 17:20:04 -0500
At 05:07 PM 2/11/2005, mosquitooth () gmx net wrote:

some trivial (nethertheless important) question: When I do search for a
given pattern in a snort rule - does the search start at the beginning of
the payload (AFTER all the eth/ip/tcp/udp/... headers) or right at the
beginning: byte 1 (of the ethernet header) that was sent on the wire?
IIRC the content checks start right after the end of the header for whatever the rule type is.
Thus, content checks on "ip" rules start at the end of the IP header. Content checks on "tcp" rules start at the end of the TCP header.
This is a subtle difference from "after the headers" because ip rules will still see tcp packets and will see the tcp headers as part of the "content". 





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: