I'm trying to solve two separate problems and running into brick walls with both.
Background: Running NetWitness 188.8.131.52 - Decoders + Concentrators + Broker.
Problem #1: I want to set an alert if a *packet* has a certain number of bytes in the data payload.
I went down the road of thinking the snort engine could do this with the "dsize" directive, but it appears this isn't implemented
in the NW snort parser. Note: I'm looking for a specific *packet*, not the whole session/stream.
Problem #2: I want to see if an HTTP Cookie matches a PCRE and set an alert. Similar issue-- thinking snort parser, but PCRE on snort parser only looks at URI. Should I try the Search engine for this (setting PATTERN to be "Cookie: <My PCRE>", or is there a better way?
Thanks for any insight-