Snort mailing list archives

Re: Content matching question

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 20 Jan 2014 18:03:43 +0000

On Jan 20, 2014, at 12:58 PM, James Lay <jlay () slave-tothe-box net<mailto:jlay () slave-tothe-box net>> wrote:


So....I'm trying to figure out how to really NOT match certain content,
but match if the data size is longer then expected.  Example:

I have a packet where the usual data size is say 20 bytes and contains
the word "bleh".  I know I can content:!"bleh" and away I go.  But say
that packet is 30 bytes?  That I'd like to see, regardless if it has the
content "bleh" or not.

What are my options?  Byte_test?  It's not http, so any options with
that were out.  Thanks for any guidance.

Does the field have a terminating string?  Like |0d 0a| or something?

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Content matching question James Lay (Jan 20)
- Re: Content matching question Joel Esler (jesler) (Jan 20)
  - Re: Content matching question James Lay (Jan 20)
- Re: Content matching question James Lay (Jan 20)