[Snort-devel] minimum stream size - dsizes, offsets and byte_tests
Michael J. Pomraning
mjp at ...806...
Tue Jun 17 05:46:15 EDT 2003
Is there a preferred way to check for minimum packet size /or/ reassembled
stream length, since dsize screens out the latter?
One option, rather kludgey, is to simply match a single byte of any value at a
byte_test: 1, <, 256, $offset
(compare ``content: "?"; regex; offset: $offset'' under 1.9).
Another option is to alter sp_dsize_check.c not to skip rebuilt streams. I'd
only tried this under 1.9, adding a keyword "ssize" and a DsizeCheckData flag
indicating whether or not to ignore PKT_REBUILT_STREAM packets. That seemed
to work, and wasn't invasive.
Is something like "ssize" feasible for the current code, or am I missing some
brambly interdependency between p->dsize and non-rebuilt streams?
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security
More information about the Snort-devel