Bug #1697: byte_extract incompatibility with Snort. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1697

closed

byte_extract incompatibility with Snort.

Added by Jason Ish about 8 years ago. Updated about 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

3.0.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Test with TALOS subscriber ruleset, Feb. 7 2016.

Suricata fails to parse a rule with the error:

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified.  The right options are (string, hex), (string, oct) or (string, dec)

And the relevant part of the rule being:

byte_extract:10,0,colspan,relative,string;

Actions

Copy link

Updated by Victor Julien about 8 years ago

Does Snort default to one of the dec/hex/oct if it's not specified?

Actions

Copy link

Updated by Jason Ish about 8 years ago

Yes, while it is not documented a quick look at the code shows that if "string" is specified, but the base is not set, default to base 10.

Actions

Copy link

Updated by Jason Ish about 8 years ago

Status changed from New to Assigned
Assignee set to Jason Ish
Target version set to 70

Actions

Copy link

Updated by Victor Julien about 8 years ago

Status changed from Assigned to Closed
Target version changed from 70 to 3.0.1

https://github.com/inliniac/suricata/pull/1969

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1697

byte_extract incompatibility with Snort.

Updated by Victor Julien about 8 years ago

Updated by Jason Ish about 8 years ago

Updated by Jason Ish about 8 years ago

Updated by Victor Julien about 8 years ago