[Snort-sigs] Content matching question

James Lay jlay at ...3266...
Mon Jan 20 13:11:10 EST 2014


On 2014-01-20 11:03, Joel Esler (jesler) wrote:
> On Jan 20, 2014, at 12:58 PM, James Lay <jlay at ...3266...
> [1]> wrote:
>
>> So....I'm trying to figure out how to really NOT match certain
>> content,
>> but match if the data size is longer then expected. Example:
>>
>> I have a packet where the usual data size is say 20 bytes and
>> contains
>> the word "bleh". I know I can content:!"bleh" and away I go. But
>> say
>> that packet is 30 bytes? That I'd like to see, regardless if it has
>> the
>> content "bleh" or not.
>>
>> What are my options? Byte_test? It's not http, so any options with
>> that were out. Thanks for any guidance.
>
> Does the field have a terminating string? Like |0d 0a| or something?

I'll do some captures and post what I find here...thanks Joel.

James





More information about the Snort-sigs mailing list