stream_size rule option is used to check the stream size of a given TCP session.
Rule writers can check whether the
stream_size is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value, or they can check that the window number is between a range of numbers, using the
<> range operator for an exclusive range check or the
<=> for an inclusive one.
By default, the specified value gets checked against both the client and server's TCP sequence numbers, marking it as a "match" if either check passes. However, rule writers can also specify that the
stream_size apply only to TCP sequence numbers from the server, client, or both server and client. This is done by placing a comma at the end of the argument followed by one of four possible options:
Single value comparison:
# Look for sessions containg traffic to the server where the # stream size is equal to 125 bytes stream_size:=125,to_server;
# Look for sessions where the stream size values from both # the client and server are between 0 and 100 bytes (exclusive) stream_size:0<>100,both;