[Snort-users] Snort and matching window size?
mkettler at ...4108...
Mon Jun 30 08:25:16 EDT 2003
At 07:21 AM 6/30/2003 -0600, James Lay wrote:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 6588 (msg:"AnalogX Proxy Server
>as my rule, but I'd like to know if there's a way to match the window
>size. I tried matchine it with a content matching keyword, but that
>didn't work. Does the content keyword match just the data portion of the
>packet? Or does it content match against headers as well? Thanks all!
Content matches the data only.
There is however an option to check the tcp window size directly, although
it's not in the formal documentation...
Quoting Brian <bmc at ...950...> from the snort-sigs list on 6/12/03:
>Snort has support for checking the window size. It has been an
>undocumented feature for the last 2 years.
More information about the Snort-users