[Snort-users] newbie question ....

Ryan Hairyes rhairyes at ...6860...
Tue Sep 10 13:23:02 EDT 2002

Yes it does ... thanks ...  that does clear it up a lot for
me ... but I was still wondering how they got the >120 ... that isn't the 
infection size... is it?

Thanks again.

Quoting Erek Adams <erek at ...577...>:

: On Tue, 10 Sep 2002, Ryan Hairyes wrote:
: > Im new to snort .... and I was wondering if someone maybe able to point
: me
: > in the right direction.  My question is .... how do you determine the
: > DSIZE when using the dsize option.  I noticed with the virus.rules file
: the
: > klez alert that the dsize is set to >120.  Thanks for the help.
: Sure.
: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.8
: "The dsize option is used to test the packet payload size. It may be set to
: any value, plus use the greater than/less than signs to indicate ranges and
: limits. For example, if you know that a certain service has a buffer of a
: certain size, you can set this option to watch for attempted buffer
: overflows.
: It has the added advantage of being a much faster way to test for a buffer
: overflow than a payload content check."
: Does that help?
: -----
: Erek Adams
: Nifty-Type-Guy
: TheAdamsFamily.Net

More information about the Snort-users mailing list