https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022010-05-14T23:10:32ZOpen Information Security FoundationSuricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5642010-05-14T23:10:32ZGurvinder Singhgurvindersinghdahiya@gmail.com
<ul><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Gurvinder Singh</i></li></ul> Suricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5672010-05-15T13:49:35ZGurvinder Singhgurvindersinghdahiya@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/227">0002-support-setting-up-byte_test-relative-when-byte_jumo.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/227/0002-support-setting-up-byte_test-relative-when-byte_jumo.patch">0002-support-setting-up-byte_test-relative-when-byte_jumo.patch</a> added</li><li><strong>File</strong> <a href="/attachments/228">0003-support-setting-up-byte_jump-relative-when-byte_test.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/228/0003-support-setting-up-byte_jump-relative-when-byte_test.patch">0003-support-setting-up-byte_jump-relative-when-byte_test.patch</a> added</li><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>90</i></li></ul><p>Attached is a patch which fixes the issue. It is incremental to the bug 142. I wonder Will, does the following signature is valid or not</p>
<p>alert tcp any any -> any any (msg:"content + byte_test + relative"; byte_test:1,=,0,0,relative,string,dec; byte_jump:1,44,string,dec; classtype:bad-unknown; sid:777; rev:1;)</p>
<p>If it is valid, then I have attached another patch for the same, otherwise don't apply the last patch.</p> Suricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5682010-05-15T22:34:10ZWill Metcalfwilliam.metcalf@gmail.com
<ul></ul><p>Are you asking if the case is valid where there is no previous match for the first byte_test with relative? In snort if a relative option is passed to byte_test and there is no previous match it will start from the beginning of the payload. With that said, I don't agree with this behavior and I think we should tell the user that the signature is wrong and produce an error as it is probably a typo.</p> Suricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5692010-05-15T22:41:35ZGurvinder Singhgurvindersinghdahiya@gmail.com
<ul></ul><p>Ah it seems I made the typo, when asking you about the signature validity. The correct signature which I ask about is</p>
<p>alert tcp any any -> any any (msg:"content + byte_test + relative"; byte_test:1,=,0,0,string,dec; byte_jump:1,44,relative,string,dec; classtype:bad-unknown; sid:777; rev:1;)</p> Suricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5702010-05-16T08:58:20ZWill Metcalfwilliam.metcalf@gmail.com
<ul></ul><p>No this is not supported. Snorts behavior here is that byte_jump,relative would be from the beginning of the payload as byte_test doesn't move doe_ptr. Once again no message is displayed to the user, snort "assumes" this is what you meant. We should reject this rule as it will probably not behave in the way that the author thinks that it will.</p> Suricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5712010-05-18T05:08:21ZVictor Julienvictor@inliniac.net
<ul></ul><p>Does this mean the patch is correct or not?</p> Suricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5732010-05-18T05:32:13ZWill Metcalfwilliam.metcalf@gmail.com
<ul></ul><p>It means the 002 patch is correct but In my opinion 003 is not.</p> Suricata - Bug #158: byte_test + relative modifer doesn't work when previous keyword is byte_jumphttps://redmine.openinfosecfoundation.org/issues/158?journal_id=5792010-05-19T07:59:36ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>100</i></li></ul><p>Ok, applied only 0002. Thanks guys.</p>