Snort mailing list archives
Re: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x)
From: Chris Green <cmg () snort org>
Date: Tue, 29 Oct 2002 16:53:43 -0500
"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> writes:
Here it is: tcp any any -> any any (msg:"LOCAL Someone email rule"; content:"some.user () umb com"; nocase; flow:established; dsize: >200; classtype:string-detect; sid:9999; rev:1;)
It works for me with
Attachment:
chad.conf
Description:
Attachment:
chad.cap
Description:
-- Chris Green <cmg () sourcefire com> You now have 14 minutes to reach minimum safe distance.
Current thread:
- RE: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x) Kreimendahl, Chad J (Oct 29)
- Re: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x) Chris Green (Oct 29)
- <Possible follow-ups>
- RE: [Snort-devel] dsize broken in snort 2 (and possibly 1.9.x) Kreimendahl, Chad J (Oct 29)