[Snort-users] Snort and matching window size?

Matt Kettler mkettler at ...4108...
Mon Jun 30 08:25:16 EDT 2003

At 07:21 AM 6/30/2003 -0600, James Lay wrote:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 6588 (msg:"AnalogX Proxy Server 
>Scan"; flags:S;)
>as my rule, but I'd like to know if there's a way to match the window 
>size.  I tried matchine it with a content matching keyword, but that 
>didn't work.  Does the content keyword match just the data portion of the 
>packet?  Or does it content match against headers as well?  Thanks all!

Content matches the data only.

There is however an option to check the tcp window size directly, although 
it's not in the formal documentation...

Quoting Brian <bmc at ...950...> from the snort-sigs list on 6/12/03:

>Snort has support for checking the window size.  It has been an
>undocumented feature for the last 2 years.
>    window:[!]<window_size>;

More information about the Snort-users mailing list