The key points are:
- offset is absolute; ie from the beginning of the buffer
- distance is relative; ie from the byte following the prior content
- depth goes with offset and within goes with distance; no other combinations are allowed
If you use any other combination of these keywords, you will now get one of these errors:
ERROR: snort.conf(1) offset can't be used with itself, distance, or within
ERROR: snort.conf(2) depth can't be used with itself, distance, or within
ERROR: snort.conf(3) distance can't be used with itself, offset, or depth
ERROR: snort.conf(4) within can't be used with itself, offset, or depth
To understand these errors, let's look at what the options mean:
offset j: start searching for the content j bytes after the start of the buffer (zero if not specified).
depth k: stop searching for the content k bytes after the offset (end of buffer if not specified).
distance j: start searching for the content j bytes after the end of the prior content (start of buffer if not specified).
within k: stop searching for the content k bytes after the start point (end of buffer if not specified).
Consider this HTTP GET:
GET /c.gif?RF=&SU=http%3a%2f%2fjoin.msn.com%2fen... HTTP/1.1
We can apply all four keywords in this rule:
alert tcp any any -> any 80 ( sid:202; msg:"202"; content:"c.gif"; http_uri; \
offset:1; depth:5; content:"join"; http_uri; distance:1; within:18; )
Note that:
- offset and depth are used on the first content for an absolute location
- distance and within are used on the second content for a location relative to the first content
- both contents are specified to be in the same buffer (normalized URI buffer)