fsize Syntax Rules
The **fsize** field is used to detect the file size. It is often used with the **file_data** and **file_type** fields. Example: ``` flow: to_server; file_data; file_type:pdf; content:"xget"; fsize:>1000; ``` When the file type is pdf, the file content matches the **xget** feature string, and the size of the received file is greater than 1000 bytes, the signature is matched. Supported operators | Keyword | Description | | ---------------- | --------------- | | fsize:1000; | Equal to | | fsize:>1000; | Greater than | | fsize:<1000; | Smaller than | | fsize:!1000; | Not equal to | | fsize:200<>1000; | Between 200 and 1000 | **ssize** and **fsize** are used for flow-based detection. When writing these two types of rules, pay attention to the following points: (Here, **fsize** is used as an example.) 1. fsize: <10000; When all the other detection items are matched, if the size of the received file is 3200 bytes (smaller than 10,000 bytes), the signature is matched. If the file size is 20,000 bytes (greater than or equal to 10,000 bytes), the signature is not matched. 2. fsize: 10000; When other detection items are matched, if the size of the received file is equal to 10,000 bytes, the signature is matched. If the file size is smaller than 10,000 bytes, the system waits for subsequent traffic. If the file size is greater than 10,000 bytes, the signature is not matched. 3. fsize: !10000; When other detection items are matched, if the size of the received file is not equal to 10,000 bytes, the signature is matched. If the file size is smaller than 10,000 bytes, the system waits for subsequent traffic. If no subsequent traffic exists, the signature is matched. 4. fsize: >10000; When other detection items are matched, if the size of the received file is 20,000 bytes (greater than 10,000 bytes), the signature is matched. If the file size is 3200 bytes (less than or equal to 10,000 bytes), the system waits for subsequent traffic. If the file size is greater than 10,000 bytes, the signature is matched. 5. fsize: 5000<>10000; When other detection items are matched, if the size of the received file is 6000 bytes (between 5000 and 10,000 bytes), the signature is matched. If the file size is 3000 bytes (less than or equal to 5000 bytes), the system waits for subsequent traffic. If the file size falls within the range of 5000–10000 bytes, the signature is matched.