[Oisf-users] secondary way to identify size of packet?

David Wharton oisf at davidwharton.us
Wed Apr 5 15:57:26 UTC 2017

How do you have a HTTP session that is only 5-6 bytes?  Why would you
need to even use a negated http_host if you are using dsize since "Host:
" is already six bytes?

If it is the first application layer packet in the stream, you can use
stream_size; for 6 bytes or less (coming from client):


or for 5-6 bytes:

stream_size:client,<,8; stream_size:client,>,6;

stream_size is based on sequence numbers so you have to keep in mind the


On 04/04/2017 01:09 PM, erik clark wrote:
> Is there a way to confirm that a packet is 6 bytes or less, without
> using dsize and stream? I need to use http keywords (specifically
> http_host), which doesnt mix with dsize and stream. My problem is that
> I have a 5-6 byte packet with a specific text string, that accounts
> for the entire http session. 
> I can do 
> content: "string"; offset:0; depth:6; content:!"longstring.intuit.com
> <http://longstring.intuit.com>"; http_host
> but this doesnt account for issues where the packet is bigger than 6
> bytes (which i want to exclude)
> Thanks!
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170405/1e497b10/attachment-0002.html>

More information about the Oisf-users mailing list