stream_size

The stream_size rule option is used to check the stream size of a given TCP session.

Rule writers can check whether the stream_size is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value, or they can check that the window number is between a range of numbers, using the <> range operator for an exclusive range check or the <=> for an inclusive one.

By default, the specified value gets checked against both the client and server's TCP sequence numbers, marking it as a "match" if either check passes. However, rule writers can also specify that the stream_size apply only to TCP sequence numbers from the server, client, or both server and client. This is done by placing a comma at the end of the argument followed by one of four possible options: either, to_server, to_client, and both.

Format:

Single value comparison:

stream_size:[<|>|=|!|<=|>=]bytes[,{either|to_server|to_client|both}];

Range comparison:

stream_size:min_bytes{<>|<=>}max_bytes[,{either|to_server|to_client|both}];

Examples:

# Look for sessions containg traffic to the server where the 
# stream size is equal to 125 bytes
stream_size:=125,to_server;

# Look for sessions where the stream size values from both
# the client and server are between 0 and 100 bytes (exclusive)
stream_size:0<>100,both;

Snort 3 Rule Writing Guide

stream_size

Format:

Single value comparison:

Range comparison:

Examples: