Bug #165
closedbyte_jump/relative doesn't work when previous match is byte_jump.
Description
The following sig fails to load, but is valid and should match (packet #46).
alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)
[15285] 21/5/2010 -- 16:35:18 - (detect-bytejump.c:531) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - relative bytejump match needs a previous content option
[15285] 21/5/2010 -- 16:35:18 - (detect.c:319) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)" from file blah.rules at line 1
Interesting that this works though.
alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; content:"SMB"; byte_jump:1,5,relative; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)
Files
Updated by Gurvinder Singh almost 14 years ago
- File 0001-added-support-for-setting-up-bytejump-relative-when.patch 0001-added-support-for-setting-up-bytejump-relative-when.patch added
- Status changed from New to Resolved
- Assignee changed from OISF Dev to Gurvinder Singh
- % Done changed from 0 to 90
Attached patch provides the support for setting up the sig.
Updated by Victor Julien almost 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied, thanks Gurvinder.
Updated by Gurvinder Singh almost 14 years ago
- File 0001-fixed-the-typo-in-byte_jump-and-host.c-Thanks-to-rm.patch 0001-fixed-the-typo-in-byte_jump-and-host.c-Thanks-to-rm.patch added
There was a typo in the sig, thanks to rmkml for pointing out. Attached patch fixes this and another typo in host.c