Rlp_DsizeAttribute_t Struct Reference

The dsize option is used to test the packet payload size. It may be set to any value, plus use the greater than/less than signs to indicate ranges and limits. More...

#include <rlp.h>

Data Fields
bool	greaterThan
bool	lessThan
int	dsize

---

Detailed Description

The dsize option is used to test the packet payload size. It may be set to any value, plus use the greater than/less than signs to indicate ranges and limits.

For example, if you know that a certain service has a buffer of a certain size, you can set this option to watch for attempted buffer overflows. It has the added advantage of being a much faster way to test for a buffer overflow than a payload content check. This can also be used to check a range of values. For example, dsize: 400<>500 will return all the packets from 400 to 500 bytes in their payload section.

These checks always will return false on a stream rebuilt packet.

Format dsize: \[<>\]<number>\[<><number>]\ (The > and < operators are optional)

In all the rules I saw, the size checks were equal, <, or >:

Some examples:

  dsize: 0
  dsize: 20
  dsize: < 25
  dsize: <5
  dsize: >1
  dsize: >1000
  dsize: >800
  dsize:0
  dsize:1
  dsize:10
  dsize:>1023
  dsize:>1092
  

Implementation [ 5 mins - just a test if numeric, scanf once or twice

Definition at line 415 of file rlp.h.

---

Field Documentation

bool Rlp_DsizeAttribute_t::greaterThan

Definition at line 417 of file rlp.h.

bool Rlp_DsizeAttribute_t::lessThan

Definition at line 418 of file rlp.h.

int Rlp_DsizeAttribute_t::dsize

Definition at line 419 of file rlp.h.