For example, if you know that a certain service has a buffer of a certain size, you can set this option to watch for attempted buffer overflows. It has the added advantage of being a much faster way to test for a buffer overflow than a payload content check. This can also be used to check a range of values. For example, dsize: 400<>500 will return all the packets from 400 to 500 bytes in their payload section.
These checks always will return false on a stream rebuilt packet.
Format dsize: \[<>\]<number>\[<><number>]\ (The > and < operators are optional)
In all the rules I saw, the size checks were equal, <, or >:
dsize: 0 dsize: 20 dsize: < 25 dsize: <5 dsize: >1 dsize: >1000 dsize: >800 dsize:0 dsize:1 dsize:10 dsize:>1023 dsize:>1092
Implementation [ 5 mins - just a test if numeric, scanf once or twice
Definition at line 415 of file rlp.h.