bufferlen option enables rule-writers to check the length of a given buffer. Users can check that the length of a buffer equals an exact size, or they can use a mathematical equality/inequality sign to compare a buffer's length to a given size or sizes.
bufferlen option is done with the
bufferlen keyword, followed by a colon character, optionally followed by an equality/inequality sign, and lastly followed by the number to compare against. A
bufferlen check can also be made relative to a previous cursor move by adding
,relative after the number.
Users can also use
bufferlen to look for a length value that is between two numbers. This is done by setting the sign to
<=> and putting the minimum number the left of the sign and the maximum number to the right of it. The
<> case is for an exclusive min-max check, while the
<=> is for an inclusive min-max check.
bufferlen number values are 0 through 65535 (inclusive).
bufferlen will be tested against the
pkt_data buffer unless some other sticky buffer is specified before it.
Note: Snort 2's
urilenoption has been removed, and Snort 3 rule-writers should use the
http_uristicky buffer +
bufferlento check URI lengths.
# check that the packet payload contains more than 100 bytes bufferlen:>100;
http_uri; content:"/pizza.php?"; # check that the http_uri buffer contains exactly 10 bytes of data after the content match bufferlen:10,relative;
http_client_body; # check that the client body contains between 2 and 10 bytes (inclusive) bufferlen:2<=>10;
http_client_body; # check that the client body contains between 2 and 10 bytes (exclusive) bufferlen:2<>10;