
<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <p>How do you have a HTTP session that is only 5-6 bytes?  Why would

      you need to even use a negated http_host if you are using dsize

      since "Host: " is already six bytes?<br>

    </p>

    <p>If it is the first application layer packet in the stream, you

      can use stream_size; for 6 bytes or less (coming from client):<br>

    </p>

    <p><font face="Tahoma" color="black" size="2"><span

          style="font-size:10pt;" dir="ltr">stream_size:client,<,8; </span></font></p>

    <p>or for 5-6 bytes:</p>

    <p><font face="Tahoma" color="black" size="2"><span

          style="font-size:10pt;" dir="ltr">stream_size:client,<,8;

          stream_size:client,>,6;</span></font></p>

    <p>stream_size is based on sequence numbers so you have to keep in

      mind the 3WHS.<br>

    </p>

    <p>-David<br>

    </p>

    <br>

    <div class="moz-cite-prefix">On 04/04/2017 01:09 PM, erik clark

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAK6atxp9PMAX1LGG4Ftuo8iiJ7hJ+nuTXhcFkKusKWmziVw88g@mail.gmail.com"

      type="cite">

      <div dir="ltr">Is there a way to confirm that a packet is 6 bytes

        or less, without using dsize and stream? I need to use http

        keywords (specifically http_host), which doesnt mix with dsize

        and stream. My problem is that I have a 5-6 byte packet with a

        specific text string, that accounts for the entire http

        session. 

        <div><br>

        </div>

        <div>I can do </div>

        <div>content: "string"; offset:0; depth:6; content:!"<a

            moz-do-not-send="true" href="http://longstring.intuit.com">longstring.intuit.com</a>";

          http_host</div>

        <div><br>

        </div>

        <div>but this doesnt account for issues where the packet is

          bigger than 6 bytes (which i want to exclude)</div>

        <div><br>

        </div>

        <div>Thanks!</div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>