Snort DOE pointer definition

j-cert-manj-cert-man Registered Users Posts: 6 ■□□□□□□□□□
Guys I should know the answer, but my mind has gone blank and google is not helping.

In the context of Snort and Byte_Jump Byte_Test Byte_Extract rules what does DOE stand for

Thanks for any help you can provide


  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Detect Offset End. It's something that's used not just in the byte_test and byte_jump options, but anytime you're looking at the payload at specific locations.

    For example, if you're doing a content match on a TCP packet that has an HTTP payload, you might specify how far into the payload to start looking for a content string. The starting point of the payload (byte offset 0) would essentially be that first byte after the end of the TCP header. If you use offset or distance options in the rule, the DOE pointer starts at that beginning (or since the previous content match in the case of distance) and moves x number of bytes to a given location. If you use the corresponding depth and within keywords, you tell the DOE pointer to only examine x number of bytes after the DOE pointer first lands via the offset or distance value.
    Hopefully-useful stuff I've written:
Sign In or Register to comment.