[Snort-devel] minimum stream size - dsizes, offsets and byte_tests

Michael J. Pomraning mjp at ...806...
Tue Jun 17 05:46:15 EDT 2003

Is there a preferred way to check for minimum packet size /or/ reassembled
stream length, since dsize screens out the latter?

One option, rather kludgey, is to simply match a single byte of any value at a
particular offset:

  byte_test: 1, <, 256, $offset

(compare ``content: "?"; regex; offset: $offset'' under 1.9).

Another option is to alter sp_dsize_check.c not to skip rebuilt streams.  I'd
only tried this under 1.9, adding a keyword "ssize" and a DsizeCheckData flag
indicating whether or not to ignore PKT_REBUILT_STREAM packets.  That seemed
to work, and wasn't invasive.

Is something like "ssize" feasible for the current code, or am I missing some
brambly interdependency between p->dsize and non-rebuilt streams?

Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

More information about the Snort-devel mailing list