[Snort-sigs] Content matching question
jlay at ...3266...
Mon Jan 20 12:58:46 EST 2014
So....I'm trying to figure out how to really NOT match certain content,
but match if the data size is longer then expected. Example:
I have a packet where the usual data size is say 20 bytes and contains
the word "bleh". I know I can content:!"bleh" and away I go. But say
that packet is 30 bytes? That I'd like to see, regardless if it has the
content "bleh" or not.
What are my options? Byte_test? It's not http, so any options with
that were out. Thanks for any guidance.
More information about the Snort-sigs