No subject

Thu Nov 23 16:34:03 EST 2017

2.3.8  Dsize

The dsize option is used to test the packet payload size. It may be set
to any value, plus use the greater than/less than signs to indicate
ranges and limits. For example, if you know that a certain service has a
buffer of a certain size, you can set this option to watch for attempted
buffer overflows. It has the added advantage of being a much faster way
to test for a buffer overflow than a payload content check.

This can also be used to check a range of values. For example, dsize:
400<>500 will return all the packets from 400 to 500 bytes in their
payload section.,

These checks always will return false on a stream rebuilt packet.

This effectively makes most (all ?) rules with dsize useless if you use
reassembly or am I missing something.

A quick grep though the rules directory show quite a few rules use dsize
is this something that needs to be reviewed?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the Snort-sigs mailing list