[Oisf-users] secondary way to identify size of packet?
David Wharton
oisf at davidwharton.us
Wed Apr 5 15:57:26 UTC 2017
How do you have a HTTP session that is only 5-6 bytes? Why would you
need to even use a negated http_host if you are using dsize since "Host:
" is already six bytes?
If it is the first application layer packet in the stream, you can use
stream_size; for 6 bytes or less (coming from client):
stream_size:client,<,8;
or for 5-6 bytes:
stream_size:client,<,8; stream_size:client,>,6;
stream_size is based on sequence numbers so you have to keep in mind the
3WHS.
-David
On 04/04/2017 01:09 PM, erik clark wrote:
> Is there a way to confirm that a packet is 6 bytes or less, without
> using dsize and stream? I need to use http keywords (specifically
> http_host), which doesnt mix with dsize and stream. My problem is that
> I have a 5-6 byte packet with a specific text string, that accounts
> for the entire http session.
>
> I can do
> content: "string"; offset:0; depth:6; content:!"longstring.intuit.com
> <http://longstring.intuit.com>"; http_host
>
> but this doesnt account for issues where the packet is bigger than 6
> bytes (which i want to exclude)
>
> Thanks!
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170405/1e497b10/attachment-0002.html>
More information about the Oisf-users
mailing list