isdataat

The isdataat rule option verifies the payload data exists at a specified location.

isdataat is specified with the isdataat keyword, followed by a colon character, followed by a number that signals where to look for packet data, and lastly followed optionally by ,relative to tell Snort to look for data starting from a previous cursor move.

Users can also specify a negated isdataat check with ! placed before the number to check that certain amount of data is not present at a specified location in the payload.

Valid isdataat numbers are 0 through 65535 (inclusive). This means that isdataat:0 checks that there is at least one byte present after the current cursor location.

Format:

isdataat:[!]location[,relative];

Examples:

isdataat:100;

content:"USER"; 
# checks for at least 30 bytes after "USER" since valid isdataat numbers start at 0
isdataat:29,relative; 
content:!"|0a|", within 30;