[Snort-sigs] Content matching question

Joel Esler (jesler) jesler at ...3865...
Mon Jan 20 13:03:43 EST 2014


On Jan 20, 2014, at 12:58 PM, James Lay <jlay at ...3266...<mailto:jlay at ...3726...6...>> wrote:


So....I'm trying to figure out how to really NOT match certain content,
but match if the data size is longer then expected.  Example:

I have a packet where the usual data size is say 20 bytes and contains
the word "bleh".  I know I can content:!"bleh" and away I go.  But say
that packet is 30 bytes?  That I'd like to see, regardless if it has the
content "bleh" or not.

What are my options?  Byte_test?  It's not http, so any options with
that were out.  Thanks for any guidance.

Does the field have a terminating string?  Like |0d 0a| or something?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140120/9dbe9cf4/attachment.html>


More information about the Snort-sigs mailing list