[Snort-sigs] Content matching question

James Lay jlay at ...3266...
Mon Jan 20 15:22:08 EST 2014

On 2014-01-20 10:58, James Lay wrote:
> Hey all,
> So....I'm trying to figure out how to really NOT match certain 
> content,
> but match if the data size is longer then expected.  Example:
> I have a packet where the usual data size is say 20 bytes and 
> contains
> the word "bleh".  I know I can content:!"bleh" and away I go.  But 
> say
> that packet is 30 bytes?  That I'd like to see, regardless if it has 
> the
> content "bleh" or not.
> What are my options?  Byte_test?  It's not http, so any options with
> that were out.  Thanks for any guidance.
> James

Turns out dsize was just what I needed:


YAY..thanks all.


More information about the Snort-sigs mailing list