stream_size

The stream_size rule option is used to check the stream size of the current TCP session. This rule option provides an effective way to check the number of bytes that have been sent and received so far during the stream.

Rule writers can check whether the stream_size is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value, or they can check that the size is between a range of numbers, using the <> range operator for an exclusive range check or the <=> for an inclusive one.

By default, the specified value gets checked against both the number of bytes sent by the client and the number of bytes sent by the server, marking it as a "match" if either check passes. However, rule writers can also specify that stream_size checks only the number of bytes sent to the server, only the number of bytes sent to the client, or the number of bytes sent to the client and sent to the server. This is done by placing a comma at the end of the argument followed by either to_server, to_client, and both, respectively.

An easy way to identify the stream_size value to use in a rule is to check the relative TCP sequence and acknowledgment numbers present in a given TCP packet. So for example, if wanting to look at traffic sent to the server and check how many total bytes have been sent to the server so far, one would simply add the current packet's relative sequence number and the length of its payload, and use that as the "bytes" argument.

Format:

Single value comparison:

stream_size:[<|>|=|!|<=|>=]bytes[,{either|to_server|to_client|both}];

Range comparison:

stream_size:min_bytes{<>|<=>}max_bytes[,{either|to_server|to_client|both}];

Examples:

# Check that the number of bytes sent to the server plus the
# number of bytes sent in this current packet equals 125
flow:to_server,established;
stream_size:125,to_server;

# Check that the number of bytes sent to the client equals 10
flow:to_server,established;
stream_size:10,to_client;

# Check that (the number of bytes sent to the server plus the
# number of bytes sent in this current packet) plus (the number
# of bytes sent to the client) is greater than 0 but less than 100
flow:to_server,established;
stream_size:0<>100,both;

Snort 3 Rule Writing Guide

stream_size

Format:

Single value comparison:

Range comparison:

Examples: