Bug #142

byte_jump/byte_test + relative does not work when previous match is pcre.

Added by Will Metcalf almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:05/04/2010
Priority:NormalDue date:05/10/2010
Assignee:Gurvinder Singh% Done:

100%

Category:-Estimated time:2.50 hours
Target version:0.9.1

Description

byte_jump/byte_test + relative does not work when previous match is pcre. This should be a supported feature, as it is supported in snort.

[3499] 4/5/2010 -- 19:41:06 - (detect-bytetest.c:538) <Error> (DetectBytetestSetup) -- [ERRCODE: SC_ERR_BYTETEST_MISSING_CONTENT(103)] - relative bytetest match needs a previous content option
[3499] 4/5/2010 -- 19:41:06 - (detect.c:295) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Error parsing signature "alert tcp any any -> any any (msg:"pcre + byte_test + relative"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; byte_test:1,=,1,6,relative,string,dec; classtype:bad-unknown; sid:126; rev:1;)" from file /home/coz/allworkplain.rules at line 20

[3499] 4/5/2010 -- 19:41:06 - (detect-bytejump.c:518) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_BYTEJUMP_MISSING_CONTENT(104)] - relative bytejump match needs a previous content option
[3499] 4/5/2010 -- 19:41:06 - (detect.c:295) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Error parsing signature "alert tcp any any -> any any (msg:"pcre + byte_test + relative"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; byte_jump:1,6,relative,string,dec; content:"0"; within:1; classtype:bad-unknown; sid:134; rev:1;)" from file /home/coz/allworkplain.rules at line 53

01/04-12:29:26.927934 [**] [1:134:1] pcre + byte_test + relative [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80
01/04-12:29:26.927934 [**] [1:126:1] pcre + byte_test + relative [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80

allworkandnoplayplain.pcap - allworkandnoplay (2.7 KB) Will Metcalf, 05/04/2010 07:07 PM

0001-set-the-byte_jum-byte_test-with-relative-keyword-whe.patch Magnifier (8.42 KB) Gurvinder Singh, 05/14/2010 11:29 AM

History

#1 Updated by Gurvinder Singh almost 4 years ago

  • Assignee changed from OISF Dev to Gurvinder Singh

#2 Updated by Gurvinder Singh almost 4 years ago

Attached patch fixes the support for setting the rule when pcre is previous keyword. For the byte_jump rule, there is within keyword, to set it please apply the patch from bug 145.

#3 Updated by Victor Julien almost 4 years ago

  • Status changed from Resolved to Closed
  • Target version changed from 1.0.0 to 0.9.1
  • % Done changed from 90 to 100

Applied, thanks Gurvinder.

Also available in: Atom PDF