The bufferlen option enables rule-writers to check the length of a given buffer. Users can check that the length of a buffer equals an exact size, or they can use a mathematical equality/inequality sign to compare a buffer's length to a given size or sizes.

Declaring a bufferlen option is done with the bufferlen keyword, followed by a colon character, optionally followed by an equality/inequality sign, and lastly followed by the number to compare against. A bufferlen check can also be made relative to a previous cursor move by adding ,relative after the number.

Users can also use bufferlen to look for a length value that is between two numbers. This is done by setting the sign to <> or <=> and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Valid bufferlen number values are 0 through 65535 (inclusive).

bufferlen will be tested against the pkt_data buffer unless some other sticky buffer is specified before it.

Note: Snort 2's urilen option has been removed, and Snort 3 rule-writers should use the http_uri sticky buffer + bufferlen to check URI lengths.


Single value comparison:
Range comparison:


# check that the packet payload contains more than 100 bytes
# check that the http_uri buffer contains exactly 10 bytes of data after the content match
# check that the client body contains between 2 and 10 bytes (inclusive) 
# check that the client body contains between 2 and 10 bytes (exclusive)