[Snort-users] newbie question ....
rhairyes at ...6860...
Tue Sep 10 13:23:02 EDT 2002
Yes it does ... thanks ... that does clear it up a lot for
me ... but I was still wondering how they got the >120 ... that isn't the
infection size... is it?
Quoting Erek Adams <erek at ...577...>:
: On Tue, 10 Sep 2002, Ryan Hairyes wrote:
: > Im new to snort .... and I was wondering if someone maybe able to point
: > in the right direction. My question is .... how do you determine the
: > DSIZE when using the dsize option. I noticed with the virus.rules file
: > klez alert that the dsize is set to >120. Thanks for the help.
: "The dsize option is used to test the packet payload size. It may be set to
: any value, plus use the greater than/less than signs to indicate ranges and
: limits. For example, if you know that a certain service has a buffer of a
: certain size, you can set this option to watch for attempted buffer
: It has the added advantage of being a much faster way to test for a buffer
: overflow than a payload content check."
: Does that help?
: Erek Adams
More information about the Snort-users