Project

General

Profile

Actions
Copy link

Bug #1697

closed
JI JI

byte_extract incompatibility with Snort.

Bug #1697: byte_extract incompatibility with Snort.

Added by Jason Ish about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.0.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Test with TALOS subscriber ruleset, Feb. 7 2016.

Suricata fails to parse a rule with the error:

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Base not specified for byte_extract, though string was specified.  The right options are (string, hex), (string, oct) or (string, dec)

And the relevant part of the rule being:

byte_extract:10,0,colspan,relative,string;

VJ Updated by Victor Julien about 10 years ago Actions
Copy link
 #1

Does Snort default to one of the dec/hex/oct if it's not specified?

JI Updated by Jason Ish about 10 years ago Actions
Copy link
 #2

Yes, while it is not documented a quick look at the code shows that if "string" is specified, but the base is not set, default to base 10.

JI Updated by Jason Ish about 10 years ago Actions
Copy link
 #3

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 70

VJ Updated by Victor Julien about 10 years ago Actions
Copy link
 #4

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.0.1
Actions
Copy link

Also available in: PDF Atom