Project

General

Profile

Actions

Bug #165

closed

byte_jump/relative doesn't work when previous match is byte_jump.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The following sig fails to load, but is valid and should match (packet #46).

alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)

[15285] 21/5/2010 -- 16:35:18 - (detect-bytejump.c:531) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - relative bytejump match needs a previous content option
[15285] 21/5/2010 -- 16:35:18 - (detect.c:319) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)" from file blah.rules at line 1

Interesting that this works though.

alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; content:"SMB"; byte_jump:1,5,relative; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)


Files

Actions #1

Updated by Gurvinder Singh over 14 years ago

Attached patch provides the support for setting up the sig.

Actions #2

Updated by Victor Julien over 14 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100

Applied, thanks Gurvinder.

Actions #3

Updated by Gurvinder Singh over 14 years ago

There was a typo in the sig, thanks to rmkml for pointing out. Attached patch fixes this and another typo in host.c

Actions #4

Updated by Victor Julien over 14 years ago

Applied as well, thanks Gurvinder.

Actions

Also available in: Atom PDF