Thu Nov 23 16:34:03 EST 2017
The dsize option is used to test the packet payload size. It may be set
to any value, plus use the greater than/less than signs to indicate
ranges and limits. For example, if you know that a certain service has a
buffer of a certain size, you can set this option to watch for attempted
buffer overflows. It has the added advantage of being a much faster way
to test for a buffer overflow than a payload content check.
This can also be used to check a range of values. For example, dsize:
400<>500 will return all the packets from 400 to 500 bytes in their
These checks always will return false on a stream rebuilt packet.
This effectively makes most (all ?) rules with dsize useless if you use
reassembly or am I missing something.
A quick grep though the rules directory show quite a few rules use dsize
is this something that needs to be reviewed?
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the Snort-sigs