dsize

The dsize rule option is used to test a packet's payload size. This option can be used to look for a payload size that is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value. This rule option can also be used to check that a payload size is between a range of numbers, using the <> range operator for an exclusive range check or the <=> for an inclusive one.

The valid dsize number range is 0-65535.

Note that dsize values are calculated using only the payload portion of a given packet. For instance, for raw TCP/IP packets, the dsize value will be calculated using only the TCP segment's data section. Likewise for ICMPv6 packets, dsize will correspond to only the size of the message payload and will not include the four ICMPv6 header bytes.

Format:

Single value comparison:

dsize:[<|>|=|!|<=|>=]size;

Range comparison:

dsize:min_size{<>|<=>}max_size;

Examples:

dsize:300<>400;

dsize:>10000;

dsize:<10;

Snort 3 Rule Writing Guide

dsize

Format:

Single value comparison:

Range comparison:

Examples: