[Oisf-users] secondary way to identify size of packet?
erik clark
philosnef at gmail.com
Thu Apr 6 10:20:05 UTC 2017
Ok, this is interesting then. Yes, I know for absolute sure the packet is
5-6 bytes long. It is port 443 (brokenout ssl) traffic, but the only
content is ams\r\n. There is no other content whatsoever. No headers, no
anything. I know where the destination is (amazonaws hosts, legitimate
traffic), so I am not sure how I can dynamically exclude those destinations
without something like http_host.
This help clarify what I am trying to do? Thanks!
---
How do you have a HTTP session that is only 5-6 bytes? Why would you
need to even use a negated http_host if you are using dsize since "Host:
" is already six bytes?
If it is the first application layer packet in the stream, you can use
stream_size; for 6 bytes or less (coming from client):
stream_size:client,<,8;
or for 5-6 bytes:
stream_size:client,<,8; stream_size:client,>,6;
stream_size is based on sequence numbers so you have to keep in mind the
3WHS.
-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170406/6093c3ce/attachment-0002.html>
More information about the Oisf-users
mailing list