Project

General

Profile

Actions

Bug #1697

closed

byte_extract incompatibility with Snort.

Added by Jason Ish over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Test with TALOS subscriber ruleset, Feb. 7 2016.

Suricata fails to parse a rule with the error:

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified.  The right options are (string, hex), (string, oct) or (string, dec)

And the relevant part of the rule being:

byte_extract:10,0,colspan,relative,string;
Actions #1

Updated by Victor Julien over 5 years ago

Does Snort default to one of the dec/hex/oct if it's not specified?

Actions #2

Updated by Jason Ish over 5 years ago

Yes, while it is not documented a quick look at the code shows that if "string" is specified, but the base is not set, default to base 10.

Actions #3

Updated by Jason Ish over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 70
Actions #4

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.0.1
Actions

Also available in: Atom PDF