[Snort-sigs] Differences between versions

長坂耕作 nagasaka at ...2239...
Tue Feb 17 17:22:01 EST 2004

I'm trying to detect a TLS application data packet which has
the certain payload size. So I wrote the following rule.
(in practical rules, I'd like to add a dsize option, of course)

alert tcp any any <> any any (msg:"Certain Packet!"; content:"|17 03 01|";
depth: 3;)

However, this does not work on the following environments:
 2.1.1RC1 (FreeBSD4.9-p2)
 2.1.0    (FreeBSD4.9-p2)
 2.0.6    (FreeBSD4.9-p2)
while this works on the following environment:
 2.0.5    (Linux-2.4.22)

Does anyone know the reason?
Please let me know any informations if possible.

Thanks in advance for your helps,
Text by Kosaku Nagasaka. [E-mail: nagasaka at ...2239...]
<Remember, success comes in "cans", failure comes in "can'ts".>
*****Note that I may read E-mails in the Text format only.*****

More information about the Snort-sigs mailing list