Project

General

Profile

Actions

Feature #2538

open

dsize keyword improvements

Added by Cyrille Barbaux about 3 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
low
Difficulty:
medium
Label:

Description

Today, dsize is limited to detect if a payload size is smaller, equal or larger than a single value.

In order to improve abnormal packets detection, signatures should be able to:
- Detect if dsize is different than a specified value.
- Allow multiple dsizes in the same signature.

For example, I've got 2 use-cases from real world.

I've got an industrial protocol that uses the same payload size in every packet, let's say 100B. Today, I've got to write 2 rules, one with "dsize<100;" and a second one with "dsize>100;" as multiple dsizes are not allowed in the same signature.
It would be nice to write a single rule with dsize:!100;

Another protocol uses only 2 payload sizes, depending on the packet type, let's use 100B and 150B. I cannot detect the full range of anomaly with the current implementation.
The improvement should allow to write: "dsize:!100; dsize:!150;" or "dsize:![100,150];" in the signature.

Actions #1

Updated by Victor Julien about 3 years ago

  • Subject changed from dsize improvements to dsize keyword improvements
  • Assignee set to Anonymous
  • Target version set to TBD
  • Effort set to low
  • Difficulty set to medium

Difficulty is mostly in the interaction with the prefilter functionality.

Actions #2

Updated by Andreas Herz over 2 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF