"uricontent" and "offset" notion

["Intru Defender" <intrusec () rediffmail com>]

Hi All,
I need a little clarification about "offset" modifier notation in conjuction with "uricontent" keyword. Does Snort 
treats "offset" differently in case of "uricontent" keyword.

In case of "uricontent" keyword, does snort treats "offset:0" from the start of URI, and not from the start of the 
payload.

The snort manual says that the "offset" tells how many bytes to skip before starting looking for the specified 
"content" keyword and "offset" is calculated from the start of payload.

For example: 
content: ".html"; offset:4; would mean start looking for ".html" after 4 bytes.

However, in case of "uricontent" keyword

Will uricontent: ".html"; offset:0; depth:5; would mean start looking for start of URI and in next 5 characters. Or it 
will mean, start looking for ".html" in first 5 bytes of payload.


Any help will be appricated.

Thanks,

-IntruSec