Azinix

Rlp_OffsetAttribute_t Struct Reference

The offset rule option is used as a modifier to rules using the content option keyword. More...

#include <rlp.h>


Data Fields

int offset


Detailed Description

The offset rule option is used as a modifier to rules using the content option keyword.

This keyword modifies the starting search position for the pattern match function from the beginning of the packet payload.

The offset rule option is used as a modifier to rules using the content option keyword. This keyword modifies the starting search position for the pattern match function from the beginning of the packet payload.

It is very useful for things like CGI scan detection rules where the content search string is never found in the first four bytes of the payload. Care should be taken against setting the offset value too tightly and potentially missing an attack!

This rule option keyword cannot be used without also specifying a content rule option.

Example:

alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; offset: 3; depth: 22; msg: "CGI-PHF access";)

Definition at line 859 of file rlp.h.


Field Documentation

int Rlp_OffsetAttribute_t::offset

Definition at line 861 of file rlp.h.