Bug #165
closedbyte_jump/relative doesn't work when previous match is byte_jump.
Description
The following sig fails to load, but is valid and should match (packet #46).
alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)
[15285] 21/5/2010 -- 16:35:18 - (detect-bytejump.c:531) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - relative bytejump match needs a previous content option
[15285] 21/5/2010 -- 16:35:18 - (detect.c:319) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)" from file blah.rules at line 1
Interesting that this works though.
alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; content:"SMB"; byte_jump:1,5,relative; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)
Files
GS Updated by Gurvinder Singh almost 16 years ago
- File 0001-added-support-for-setting-up-bytejump-relative-when.patch 0001-added-support-for-setting-up-bytejump-relative-when.patch added
- Status changed from New to Resolved
- Assignee changed from OISF Dev to Gurvinder Singh
- % Done changed from 0 to 90
Attached patch provides the support for setting up the sig.
VJ Updated by Victor Julien almost 16 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied, thanks Gurvinder.
GS Updated by Gurvinder Singh almost 16 years ago
- File 0001-fixed-the-typo-in-byte_jump-and-host.c-Thanks-to-rm.patch 0001-fixed-the-typo-in-byte_jump-and-host.c-Thanks-to-rm.patch added
There was a typo in the sig, thanks to rmkml for pointing out. Attached patch fixes this and another typo in host.c
VJ Updated by Victor Julien almost 16 years ago
Applied as well, thanks Gurvinder.