[Snort-devel] dsize ranges

Andreas Östling andreaso at ...387...
Thu Jun 27 12:54:05 EDT 2002


On Thu, 27 Jun 2002, Chris Green wrote:

> I like your patch and moving it into the 1.9. All development type
> activities should be focused on this as its a bit different from the
> 1.8 branch that has a final maintence release coming out.

Nice, thanks.

And I guess the check for rebuilt streams you recently added to the
other dsize checks should be added to CheckDsizeRange() as well.


Perhaps the documentation could now be updated to something similar to:

2.3.8  Dsize

The dsize option is used to test the packet payload size. It may be set to
any value, plus use the greater than/less than signs to indicate a lower
or upper limit. You may also specify the <> operator to do a range check.

For example, if you know that a certain service has a buffer of a certain
size, you can set this option to watch for attempted buffer overflows. It
has the added advantage of being a much faster way to test for a buffer
overflow than a payload content check.

Format

    dsize: [>|<] <number>;

Note: The > and < operators are optional!


Range format

    dsize: <minnumber> <> <maxnumber>;

Note: The range check is inclusive, thus matching a packet size of at
      least minnumber bytes but at most maxnumber.



Regards,
Andreas Östling





More information about the Snort-devel mailing list