[Snort-sigs] Content matching question

James Lay jlay at ...3266...
Mon Jan 20 12:58:46 EST 2014

Hey all,

So....I'm trying to figure out how to really NOT match certain content, 
but match if the data size is longer then expected.  Example:

I have a packet where the usual data size is say 20 bytes and contains 
the word "bleh".  I know I can content:!"bleh" and away I go.  But say 
that packet is 30 bytes?  That I'd like to see, regardless if it has the 
content "bleh" or not.

What are my options?  Byte_test?  It's not http, so any options with 
that were out.  Thanks for any guidance.


More information about the Snort-sigs mailing list