<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>How do you have a HTTP session that is only 5-6 bytes?  Why would
      you need to even use a negated http_host if you are using dsize
      since "Host: " is already six bytes?<br>
    </p>
    <p>If it is the first application layer packet in the stream, you
      can use stream_size; for 6 bytes or less (coming from client):<br>
    </p>
    <p><font face="Tahoma" color="black" size="2"><span
          style="font-size:10pt;" dir="ltr">stream_size:client,<,8; </span></font></p>
    <p>or for 5-6 bytes:</p>
    <p><font face="Tahoma" color="black" size="2"><span
          style="font-size:10pt;" dir="ltr">stream_size:client,<,8;
          stream_size:client,>,6;</span></font></p>
    <p>stream_size is based on sequence numbers so you have to keep in
      mind the 3WHS.<br>
    </p>
    <p>-David<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 04/04/2017 01:09 PM, erik clark
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAK6atxp9PMAX1LGG4Ftuo8iiJ7hJ+nuTXhcFkKusKWmziVw88g@mail.gmail.com"
      type="cite">
      <div dir="ltr">Is there a way to confirm that a packet is 6 bytes
        or less, without using dsize and stream? I need to use http
        keywords (specifically http_host), which doesnt mix with dsize
        and stream. My problem is that I have a 5-6 byte packet with a
        specific text string, that accounts for the entire http
        session. 
        <div><br>
        </div>
        <div>I can do </div>
        <div>content: "string"; offset:0; depth:6; content:!"<a
            moz-do-not-send="true" href="http://longstring.intuit.com">longstring.intuit.com</a>";
          http_host</div>
        <div><br>
        </div>
        <div>but this doesnt account for issues where the packet is
          bigger than 6 bytes (which i want to exclude)</div>
        <div><br>
        </div>
        <div>Thanks!</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>