Re: newbie question ....

[Ryan Hairyes <rhairyes () lee k12 nc us>]

Yes it does ... thanks ...  that does clear it up a lot for
me ... but I was still wondering how they got the >120 ... that isn't the 
infection size... is it?

Thanks again.

Quoting Erek Adams <erek () theadamsfamily net>:

: On Tue, 10 Sep 2002, Ryan Hairyes wrote:
: 
: > Im new to snort .... and I was wondering if someone maybe able to point
: me
: > in the right direction.  My question is .... how do you determine the
: > DSIZE when using the dsize option.  I noticed with the virus.rules file
: the
: > klez alert that the dsize is set to >120.  Thanks for the help.
: 
: Sure.
: 
: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.8
: 
: "The dsize option is used to test the packet payload size. It may be set to
: any value, plus use the greater than/less than signs to indicate ranges and
: limits. For example, if you know that a certain service has a buffer of a
: certain size, you can set this option to watch for attempted buffer
: overflows.
: It has the added advantage of being a much faster way to test for a buffer
: overflow than a payload content check."
: 
: Does that help?
: 
: -----
: Erek Adams
: Nifty-Type-Guy
: TheAdamsFamily.Net
: 





-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users