Re: Content matching question

[James Lay <jlay () slave-tothe-box net>]

On 2014-01-20 11:03, Joel Esler (jesler) wrote:
> On Jan 20, 2014, at 12:58 PM, James Lay <jlay () slave-tothe-box net
> [1]> wrote:
>
> > So....I'm trying to figure out how to really NOT match certain
> > content,
> > but match if the data size is longer then expected. Example:
> >
> > I have a packet where the usual data size is say 20 bytes and
> > contains
> > the word "bleh". I know I can content:!"bleh" and away I go. But
> > say
> > that packet is 30 bytes? That I'd like to see, regardless if it has
> > the
> > content "bleh" or not.
> >
> > What are my options? Byte_test? It's not http, so any options with
> > that were out. Thanks for any guidance.
>
> Does the field have a terminating string? Like |0d 0a| or something?

I'll do some captures and post what I find here...thanks Joel.

James


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!