bufferlen
The bufferlen option enables rule-writers to check the length of a given buffer. Users can check that the length of a buffer equals an exact size, or they can use a mathematical equality/inequality sign to compare a buffer's length to a given size or sizes.
Declaring a bufferlen option is done with the bufferlen keyword, followed by a colon character, optionally followed by an equality/inequality sign, and lastly followed by the number to compare against. A bufferlen check can also be made relative to a previous cursor move by adding ,relative after the number.
Users can also use bufferlen to look for a length value that is between two numbers. This is done by setting the sign to <> or <=> and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.
Valid bufferlen number values are 0 through 65535 (inclusive).
bufferlen will be tested against the pkt_data buffer unless some other sticky buffer is specified before it.
Note: Snort 2's
urilenoption has been removed, and Snort 3 rule-writers should use thehttp_uristicky buffer +bufferlento check URI lengths.
Format:
Single value comparison:
bufferlen:[<|>|=|!|<=|>=]length[,relative];Range comparison:
bufferlen:min_length{<>|<=>}max_length[,relative];Examples:
# check that the packet payload contains more than 100 bytes
bufferlen:>100;
http_uri;
content:"/pizza.php?";
# check that the http_uri buffer contains exactly 10 bytes of data after the content match
bufferlen:10,relative;
http_client_body;
# check that the client body contains between 2 and 10 bytes (inclusive)
bufferlen:2<=>10;
http_client_body;
# check that the client body contains between 2 and 10 bytes (exclusive)
bufferlen:2<>10;