Support #2624
closedDoes dsize support stream_size when combined?
Description
Hello!
Ask a few questions about dsize and stream_szie.
First of all, tso offload of all computers is off.
alert tcp any any -> any 80 (msg:"dsize"; flow:to_server,established,no_stream; dsize:0<>1000; sid:1; rev:1;)
I applied the rule as above and the length of the transmitting TCP segment is 1460 except the first and the last packets. So only the first and last two packets match normally.
I changed the rule to match the payload size from 1 to 999 with sequences less than 5000.
alert tcp any any -> any 80 (msg:"dsize"; flow:to_server,established,no_stream; dsize:0<>1000; stream_size:server,<,5000; sid:1; rev:1;)
However, after changing the rules like this, an unknown payload size match occurs.
The payload size is 1460 when viewed on all links except the first and last. However, unknown payload sizes such as 470 or 608 are matched.
Am I misunderstanding stream_size?
I will wait for an answer
Thank you
Updated by Anonymous over 5 years ago
Sorry
I applied the rule as above and the length of the transmitting TCP segment is 1460 except the first and the last packets. So only the first and last two packets match normally.
--->>>>
I applied the rule as above and the length of the transmitting TCP segment is 1460 except the first and the last packets. So it matches normally except for the first and last two packets.
Updated by Victor Julien over 5 years ago
- Status changed from New to Closed
Seems the original reporter removed his/her account, so closing.