[Oisf-users] secondary way to identify size of packet?
erik clark
philosnef at gmail.com
Tue Apr 4 17:09:00 UTC 2017
Is there a way to confirm that a packet is 6 bytes or less, without using
dsize and stream? I need to use http keywords (specifically http_host),
which doesnt mix with dsize and stream. My problem is that I have a 5-6
byte packet with a specific text string, that accounts for the entire http
session.
I can do
content: "string"; offset:0; depth:6; content:!"longstring.intuit.com";
http_host
but this doesnt account for issues where the packet is bigger than 6 bytes
(which i want to exclude)
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170404/67beb0bf/attachment.html>
More information about the Oisf-users
mailing list