[Snort-users] Snort and matching window size?

Matt Kettler mkettler at ...4108...
Mon Jun 30 08:25:16 EDT 2003


At 07:21 AM 6/30/2003 -0600, James Lay wrote:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 6588 (msg:"AnalogX Proxy Server 
>Scan"; flags:S;)
>
>as my rule, but I'd like to know if there's a way to match the window 
>size.  I tried matchine it with a content matching keyword, but that 
>didn't work.  Does the content keyword match just the data portion of the 
>packet?  Or does it content match against headers as well?  Thanks all!
>
>James

Content matches the data only.

There is however an option to check the tcp window size directly, although 
it's not in the formal documentation...


Quoting Brian <bmc at ...950...> from the snort-sigs list on 6/12/03:

>Snort has support for checking the window size.  It has been an
>undocumented feature for the last 2 years.
>
>    window:[!]<window_size>;







More information about the Snort-users mailing list