bufferlen

The bufferlen option enables rule-writers to check the length of a given buffer. Users can check that the length of a buffer equals an exact size, or they can use a mathematical equality/inequality sign to compare a buffer's length to a given size or sizes.

Declaring a bufferlen option is done with the bufferlen keyword, followed by a colon character, optionally followed by an equality/inequality sign, and lastly followed by the number to compare against. A bufferlen check can also be made relative to a previous cursor move by adding ,relative after the number.

Users can also use bufferlen to look for a length value that is between two numbers. This is done by setting the sign to <> or <=> and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Valid bufferlen number values are 0 through 65535 (inclusive).

bufferlen will be tested against the pkt_data buffer unless some other sticky buffer is specified before it.

Note: Snort 2's urilen option has been removed, and Snort 3 rule-writers should use the http_uri sticky buffer + bufferlen to check URI lengths.

Format:

Single value comparison:
bufferlen:[<|>|=|!|<=|>=]length[,relative];
Range comparison:
bufferlen:min_length{<>|<=>}max_length[,relative];

Examples:

# check that the packet payload contains more than 100 bytes
bufferlen:>100;
http_uri;
content:"/pizza.php?";
# check that the http_uri buffer contains exactly 10 bytes of data after the content match
bufferlen:10,relative;
http_client_body;
# check that the client body contains between 2 and 10 bytes (inclusive) 
bufferlen:2<=>10;
http_client_body;
# check that the client body contains between 2 and 10 bytes (exclusive) 
bufferlen:2<>10;