[Snort-users] Snort and matching window size?

James Lay slave_tothe_box at ...131...
Mon Jun 30 08:40:23 EDT 2003


On Mon, 30 Jun 2003 11:23:01 -0400
"Matt Kettler" <mkettler at ...4108...> wrote:

> At 07:21 AM 6/30/2003 -0600, James Lay wrote:
> >alert tcp $EXTERNAL_NET any -> $HOME_NET 6588 (msg:"AnalogX Proxy Server 
> >Scan"; flags:S;)
> >
> >as my rule, but I'd like to know if there's a way to match the window 
> >size.  I tried matchine it with a content matching keyword, but that 
> >didn't work.  Does the content keyword match just the data portion of the 
> >packet?  Or does it content match against headers as well?  Thanks all!
> >
> >James
> 
> Content matches the data only.
> 
> There is however an option to check the tcp window size directly, although 
> it's not in the formal documentation...
> 
> 
> Quoting Brian <bmc at ...950...> from the snort-sigs list on 6/12/03:
> 
> >Snort has support for checking the window size.  It has been an
> >undocumented feature for the last 2 years.
> >
> >    window:[!]<window_size>;

JUST what the doctor ordered...I'm hoping the data is givin in decimal and not hex...but I'll try both.  Any other undocumented features out there?  Thanks!

James





More information about the Snort-users mailing list