[Snort-devel] dsize ranges
andreaso at ...387...
Thu Jun 27 12:54:05 EDT 2002
On Thu, 27 Jun 2002, Chris Green wrote:
> I like your patch and moving it into the 1.9. All development type
> activities should be focused on this as its a bit different from the
> 1.8 branch that has a final maintence release coming out.
And I guess the check for rebuilt streams you recently added to the
other dsize checks should be added to CheckDsizeRange() as well.
Perhaps the documentation could now be updated to something similar to:
The dsize option is used to test the packet payload size. It may be set to
any value, plus use the greater than/less than signs to indicate a lower
or upper limit. You may also specify the <> operator to do a range check.
For example, if you know that a certain service has a buffer of a certain
size, you can set this option to watch for attempted buffer overflows. It
has the added advantage of being a much faster way to test for a buffer
overflow than a payload content check.
dsize: [>|<] <number>;
Note: The > and < operators are optional!
dsize: <minnumber> <> <maxnumber>;
Note: The range check is inclusive, thus matching a packet size of at
least minnumber bytes but at most maxnumber.
More information about the Snort-devel