[Snort-users] Snort and matching window size?
slave_tothe_box at ...131...
Mon Jun 30 08:40:23 EDT 2003
On Mon, 30 Jun 2003 11:23:01 -0400
"Matt Kettler" <mkettler at ...4108...> wrote:
> At 07:21 AM 6/30/2003 -0600, James Lay wrote:
> >alert tcp $EXTERNAL_NET any -> $HOME_NET 6588 (msg:"AnalogX Proxy Server
> >Scan"; flags:S;)
> >as my rule, but I'd like to know if there's a way to match the window
> >size. I tried matchine it with a content matching keyword, but that
> >didn't work. Does the content keyword match just the data portion of the
> >packet? Or does it content match against headers as well? Thanks all!
> Content matches the data only.
> There is however an option to check the tcp window size directly, although
> it's not in the formal documentation...
> Quoting Brian <bmc at ...950...> from the snort-sigs list on 6/12/03:
> >Snort has support for checking the window size. It has been an
> >undocumented feature for the last 2 years.
> > window:[!]<window_size>;
JUST what the doctor ordered...I'm hoping the data is givin in decimal and not hex...but I'll try both. Any other undocumented features out there? Thanks!
More information about the Snort-users