Project

General

Profile

Actions
Copy link

Bug #165

closed

byte_jump/relative doesn't work when previous match is byte_jump.

Added by Will Metcalf almost 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Gurvinder Singh
Target version:
0.9.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

The following sig fails to load, but is valid and should match (packet #46).

alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)

[15285] 21/5/2010 -- 16:35:18 - (detect-bytejump.c:531) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - relative bytejump match needs a previous content option
[15285] 21/5/2010 -- 16:35:18 - (detect.c:319) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; byte_jump:1,13; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)" from file blah.rules at line 1

Interesting that this works though.

alert tcp any any -> any 445 (msg:"byte_test with byte_test + relative"; content:"SMB"; byte_jump:1,5,relative; byte_jump:4,0,relative; content:"|48 00 00|"; within:3; sid:144; rev:1;)

Files

Download all files
rpcoversmbtraffic.pcap (20 KB) rpcoversmbtraffic.pcap rpc over smbtraffic packet 46 should cause the alert to fire. Will Metcalf, 05/21/2010 03:42 PM
0001-added-support-for-setting-up-bytejump-relative-when.patch (6.04 KB) 0001-added-support-for-setting-up-bytejump-relative-when.patch Gurvinder Singh, 05/24/2010 11:27 PM
0001-fixed-the-typo-in-byte_jump-and-host.c-Thanks-to-rm.patch (1.22 KB) 0001-fixed-the-typo-in-byte_jump-and-host.c-Thanks-to-rm.patch Gurvinder Singh, 05/25/2010 11:47 PM
Actions
Copy link

Also available in: Atom PDF