[Snort-users] Depth limit of binary flow using just pcre (no content option)

waldo kitty wkitty42 at ...14940...
Fri Jul 19 14:42:11 EDT 2013

On 7/19/2013 14:20, Frank Calone wrote:
> I'd like to test just the first 500 bytes of a session for a pcre pattern.  I've
> seen port 80 session data with just raw tranfers, no http related stuff.  It

are you sure that those are not just additional packets carry data for an 
initial http session? they may be carrying binary data like graphics or they ma 
be part of a gzipped session...

> appears the "depth" option must have a content check.  I really don't have a
> good content criteria to test for.  My interest is strictly in just a pattern.
> Any ideas on how to limit the testing to just 500 bytes of any given session?  I
> have some content only rules that are not alerting when I added the pcre tests.
> I suspect trying to analyze all sessions and all bytes for a dozen different
> patterns is a bit much to ask of Snort.

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list