Re: Negative offset?

["Joel Esler (jesler)" <jesler () cisco com>]

On Mar 3, 2015, at 2:06 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com<mailto:l0rdch0de1m0rt () gmail com>> wrote:

Hey Joel,

In our thread from the other day (http://seclists.org/snort/2010/q2/838) you said:


On Thu, Jun 10, 2010 at 11:20 AM, Joel Esler <jesler () sourcefire com<mailto:jesler () sourcefire com>> wrote:


Plus with distance, you can do negative relativity, you can't do that with offset.  Just FYI.





This makes sense but the Snort manual says offset can be give a value -65535 to 655535.  And while Snort does not throw 
an error with a negative offset, I cant seem to think of how a negative offset would work.  I thought maybe it would 
start from the end of the packet and go backwards (kind of like python list indexing) but my tests don't show this.  
Any insight is appreciated.


I just commented in another thread that we are thinking about this as far as a use case.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!