[Oisf-users] secondary way to identify size of packet?

[erik clark]

Ok, this is interesting then. Yes, I know for absolute sure the packet is
5-6 bytes long. It is port 443 (brokenout ssl) traffic, but the only
content is ams\r\n. There is no other content whatsoever. No headers, no
anything. I know where the destination is (amazonaws hosts, legitimate
traffic), so I am not sure how I can dynamically exclude those destinations
without something like http_host.

This help clarify what I am trying to do? Thanks!



---

How do you have a HTTP session that is only 5-6 bytes?  Why would you
need to even use a negated http_host if you are using dsize since "Host:
" is already six bytes?

If it is the first application layer packet in the stream, you can use
stream_size; for 6 bytes or less (coming from client):

stream_size:client,<,8;

or for 5-6 bytes:

stream_size:client,<,8; stream_size:client,>,6;

stream_size is based on sequence numbers so you have to keep in mind the
3WHS.

-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170406/6093c3ce/attachment-0002.html>