(r2) GeneralFAQ < Main < EmergingThreats

Main Web>GeneralFAQ (revision 2) (raw view)~~EditAttach~~

---+!! General FAQ

General questions, tricks, tips, and other things that are asked frequently and important to remember!


%TOC% 

---++ What is the difference between offset, distance, depth and within?


All content matches and modifiers start from the first byte of the payload. None of them will look in the header, that's all parsed and can be matched using other directives. 

*Depth* is how far to LOOK into the payload from the start of the payload.

*Distance* is how far to SKIP from the LAST byte of the previous match before looking for the current match

*Offset* is how far to SKIP into the packet from the beginning of the payload before looking for the current match

*Within* says only look in the NEXT x bytes AFTER the last byte of the last content match. 

So offset and depth are from the start of payload and often used together, distance and within are similar but relevant to the last content match. 


An example image made by Deapesh Misra:

<img src="http://doc.emergingthreats.net/bin/viewfile/Main/GeneralFAQ?rev=1;filename=Snort-Diagram.png">

   * Diagram example: <br />
     <img src="%ATTACHURLPATH%/Snort-Diagram.png" alt="Snort-Diagram.png" width='503' height='269' />


---++ Add your tips here.....
-- Main.MattJonkman - 16 Feb 2009

Attachments

Topic attachments
I	Attachment	Action	Size	Date	Who	Comment
png	Snort-Diagram.png	manage	18.5 K	2009-02-18 - 16:09	UnknownUser	Diagram example

Topic revision: r2 - 2009-02-18 - MattJonkman

Main

User Reference
ATasteOfTWiki
TextFormattingRules

Signature Reference
WebRss Feed
EmergingFAQ