base64_data offset question

[Duane Howard via Snort-sigs <snort-sigs () lists snort org>]

I've seen a few rules[0][1] included in the Registered ruleset on snort.org
that contain something like:
base64_decode:bytes 1000,offset 0,relative;

The snort user-manual, however, explicitly states[2] that offset:
Determines the offset relative to the doe_ptr when the option relative is
specified or relative to the start of the packet payload to begin
inspection of base64 encoded data. *This argument takes positive and
non-zero values only.*

I presume the documentation is incorrect in this case? otherwise there are
a few rules in the community set that exhibit this behavior and could be
corrected.

Thanks,
Duane

[0] sid:51438
[1] sid:52028
[2]
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004529000000000000000

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!