Snort mailing list archives
Re: Content matching question
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 20 Jan 2014 11:11:10 -0700
On 2014-01-20 11:03, Joel Esler (jesler) wrote:
On Jan 20, 2014, at 12:58 PM, James Lay <jlay () slave-tothe-box net [1]> wrote:So....I'm trying to figure out how to really NOT match certain content, but match if the data size is longer then expected. Example: I have a packet where the usual data size is say 20 bytes and contains the word "bleh". I know I can content:!"bleh" and away I go. But say that packet is 30 bytes? That I'd like to see, regardless if it has the content "bleh" or not. What are my options? Byte_test? It's not http, so any options with that were out. Thanks for any guidance.Does the field have a terminating string? Like |0d 0a| or something?
I'll do some captures and post what I find here...thanks Joel. James ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Content matching question James Lay (Jan 20)
- Re: Content matching question Joel Esler (jesler) (Jan 20)
- Re: Content matching question James Lay (Jan 20)
- Re: Content matching question James Lay (Jan 20)
- Re: Content matching question Joel Esler (jesler) (Jan 20)