Azinix

Rlp_DsizeAttribute_t Struct Reference

The dsize option is used to test the packet payload size. It may be set to any value, plus use the greater than/less than signs to indicate ranges and limits. More...

#include <rlp.h>


Data Fields

bool greaterThan
bool lessThan
int dsize


Detailed Description

The dsize option is used to test the packet payload size. It may be set to any value, plus use the greater than/less than signs to indicate ranges and limits.

For example, if you know that a certain service has a buffer of a certain size, you can set this option to watch for attempted buffer overflows. It has the added advantage of being a much faster way to test for a buffer overflow than a payload content check. This can also be used to check a range of values. For example, dsize: 400<>500 will return all the packets from 400 to 500 bytes in their payload section.

These checks always will return false on a stream rebuilt packet.

Format dsize: \[<>\]<number>\[<><number>]\ (The > and < operators are optional)

In all the rules I saw, the size checks were equal, <, or >:

Some examples:

  dsize: 0
  dsize: 20
  dsize: < 25
  dsize: <5
  dsize: >1
  dsize: >1000
  dsize: >800
  dsize:0
  dsize:1
  dsize:10
  dsize:>1023
  dsize:>1092
  

Implementation [ 5 mins - just a test if numeric, scanf once or twice

Definition at line 415 of file rlp.h.


Field Documentation

bool Rlp_DsizeAttribute_t::greaterThan

Definition at line 417 of file rlp.h.

bool Rlp_DsizeAttribute_t::lessThan

Definition at line 418 of file rlp.h.

int Rlp_DsizeAttribute_t::dsize

Definition at line 419 of file rlp.h.