[Oisf-users] secondary way to identify size of packet?

erik clark philosnef at gmail.com
Tue Apr 4 17:09:00 UTC 2017

Is there a way to confirm that a packet is 6 bytes or less, without using
dsize and stream? I need to use http keywords (specifically http_host),
which doesnt mix with dsize and stream. My problem is that I have a 5-6
byte packet with a specific text string, that accounts for the entire http

I can do
content: "string"; offset:0; depth:6; content:!"longstring.intuit.com";

but this doesnt account for issues where the packet is bigger than 6 bytes
(which i want to exclude)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170404/67beb0bf/attachment.html>

More information about the Oisf-users mailing list