Snort mailing list archives

Previous By Date Next
Previous By Thread Next

align option of byte_jump

From: "Martin Hofmeister" <mhofmeister () inkra com>
Date: Thu, 4 Sep 2003 11:19:59 -0700
Could someone please help me understand the exact use of the align option of the byte_jump feature.  Here's how 
byte_jump looks:

  byte_jump: <bytes_to_convert>, <offset> [, [relative], [big], [little], [string], [hex], [dec], [oct], [align]]

According to the documentation, align rounds the number of converted bytes up to the next 32-bit boundry.  I am 
confused by the example given in the documention which looks as follows:

alert udp any any -> any 32770:34000 (content: "| 00 01 86 B8 |"; \
                    content: "| 00 00 00 01|"; distance: 4; within: 4; \
                    byte_jump: 4, 12, relative, align; \
                    byte_test: 4, >, 900, 20, relative; \
                    msg: "statd format string buffer overflow";)

The byte_jump has specified 4 bytes to convert, so why would we need the "align" option in this example since we are 
already converting 32 bits (4 bytes)?

If anyone can explain this option to me I would really appreciate it.

Thanks,

Martin Hofmeister


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: