Hosting Provided By

[Snort-devel] is offset subtracted from depth?

From: Jason Lunz <lunz(at)falooley.org>
Date: Wed Mar 03 2004 - 16:46:09 EST

The documentation on snort.org has this to say about the use of depth + offset in snort rules:

2.5.4 depth

	The depth keyword allows the rule writer to specify how far into
	a packet snort should search for the specified pattern. depth
	modifies the previous 'content' keyword in the rule.

	A depth of 5 would tell snort to only look look for the
	specified pattern within the first 5 bytes of the payload.

	[...]


	2.5.5 offset

	The offset keyword allows the rule writer to specify where to
	start searching for a pattern within a packet. offset modifies
	the previous 'content' keyword in the rule.

	An offset of 5 would tell snort to start looking for the
	specified pattern after the first 5 bytes of the payload.

	[...]


	See Figure for an example of a combined content, offset, and
	depth search rule.
	alert tcp any any -> any 80 (content: "cgi-bin/phf"; offset:4; depth:20;)
	Figure: Combined Content, Offset and Depth Rule. Skip the first
	4 bytes, and look for cgi-bin/phf in the next 20 bytes

This would indicate that for the example rule given above, 0-indexed bytes 4-23 are searched, for a searched area of 20 bytes.

However, a cursory reading of uniSearchReal() in detection-plugins/sp_pattern_match.c from 2.1.1 says:

	int depth = dlen;
	[... stuff omitted ...]
	else /* otherwise just use the offset (validated by calling function) */
	{
		base_ptr += pmd->offset;
		depth -= pmd->offset;
	}

So without reading into the snort code any more, it appears that the example given in the docs would subtract offset from depth before searching, giving a search range of data bytes 4-19 and a target area of 16 bytes.

Am I just reading the snort source incorrectly? Or does the documentation need an update? If so, what does that mean for all the rules written using the old documentation?

thanks,

Jason

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Mar 4 08:46:47 2004

Do you need help?

This message: [ Message body ]
Next message: Peter Silberman: "[Snort-devel] Error: PCRE.lib on win32"
Previous message: Milani Paolo: "[Snort-devel] Detection disabled by mistake in spp_stream4"
Next in thread: Brian: "Re: [Snort-devel] is offset subtracted from depth?"
Reply: Brian: "Re: [Snort-devel] is offset subtracted from depth?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT