EditAttachPrintable
r3 - 18 Feb 2009 - 19:09:14 - MattJonkmanYou are here: TWiki >  Main Web > GeneralFAQ

General FAQ

General questions, tricks, tips, and other things that are asked frequently and important to remember!

What is the difference between offset, distance, depth and within?

All content matches and modifiers start from the first byte of the payload. None of them will look in the header, that's all parsed and can be matched using other directives.

Depth is how far to LOOK into the payload from the start of the payload.

Distance is how far to SKIP from the LAST byte of the previous match before looking for the current match

Offset is how far to SKIP into the packet from the beginning of the payload before looking for the current match

Within says only look in the NEXT x bytes AFTER the last byte of the last content match.

So offset and depth are from the start of payload and often used together, distance and within are similar but relevant to the last content match.

An example image made by Deapesh Misra:

  • Diagram example:
    Snort-Diagram.png

Add your tips here.....

-- MattJonkman - 16 Feb 2009
Topic attachments
I Attachment Action Size Date Who Comment
pngpng Snort-Diagram.png manage 18.5 K 18 Feb 2009 - 16:09 MattJonkman Diagram example
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r3 < r2 < r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback