<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>How do you have a HTTP session that is only 5-6 bytes? Why would
you need to even use a negated http_host if you are using dsize
since "Host: " is already six bytes?<br>
</p>
<p>If it is the first application layer packet in the stream, you
can use stream_size; for 6 bytes or less (coming from client):<br>
</p>
<p><font face="Tahoma" color="black" size="2"><span
style="font-size:10pt;" dir="ltr">stream_size:client,<,8; </span></font></p>
<p>or for 5-6 bytes:</p>
<p><font face="Tahoma" color="black" size="2"><span
style="font-size:10pt;" dir="ltr">stream_size:client,<,8;
stream_size:client,>,6;</span></font></p>
<p>stream_size is based on sequence numbers so you have to keep in
mind the 3WHS.<br>
</p>
<p>-David<br>
</p>
<br>
<div class="moz-cite-prefix">On 04/04/2017 01:09 PM, erik clark
wrote:<br>
</div>
<blockquote
cite="mid:CAK6atxp9PMAX1LGG4Ftuo8iiJ7hJ+nuTXhcFkKusKWmziVw88g@mail.gmail.com"
type="cite">
<div dir="ltr">Is there a way to confirm that a packet is 6 bytes
or less, without using dsize and stream? I need to use http
keywords (specifically http_host), which doesnt mix with dsize
and stream. My problem is that I have a 5-6 byte packet with a
specific text string, that accounts for the entire http
session.
<div><br>
</div>
<div>I can do </div>
<div>content: "string"; offset:0; depth:6; content:!"<a
moz-do-not-send="true" href="http://longstring.intuit.com">longstring.intuit.com</a>";
http_host</div>
<div><br>
</div>
<div>but this doesnt account for issues where the packet is
bigger than 6 bytes (which i want to exclude)</div>
<div><br>
</div>
<div>Thanks!</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</pre>
</blockquote>
<br>
</body>
</html>