Home
Certification Preparation
Other Security Certifications
Snort DOE pointer definition
j-cert-man
Guys I should know the answer, but my mind has gone blank and google is not helping.
In the context of Snort and Byte_Jump Byte_Test Byte_Extract rules what does DOE stand for
Thanks for any help you can provide
Find more posts tagged with
Comments
docrice
Detect Offset End. It's something that's used not just in the
byte_test
and
byte_jump
options, but anytime you're looking at the payload at specific locations.
For example, if you're doing a content match on a TCP packet that has an HTTP payload, you might specify how far into the payload to start looking for a content string. The starting point of the payload (byte offset 0) would essentially be that first byte after the end of the TCP header. If you use
offset
or
distance
options in the rule, the DOE pointer starts at that beginning (or since the previous content match in the case of
distance
) and moves x number of bytes to a given location. If you use the corresponding
depth
and
within
keywords, you tell the DOE pointer to only examine x number of bytes after the DOE pointer first lands via the
offset
or
distance
value.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
