Project

General

Profile

Actions
Copy link

Feature #2075

closed

Wildcard matching in suricata hex content matching

Added by Jason Williams about 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
-
Effort:
Difficulty:
Label:

Description

There could be use cases where being able to use wildcards in hex content would be useful, replacing the need for pcre.

example:

content:"watch me count|3a 20 00 01 02 ?? 04|";

Actions
Copy link
 #1

Updated by Victor Julien about 7 years ago

I don't think we can do this. Content keyword is all about literal matching and changing this would have an profound impact of a lot of code and logic (and likely performance).

You can of course express this already like this:

content:"watch me count|3a 20 00 01 02|"; content:"|04|"; distance:1; within:1;

We're planning to experiment with Hyperscan to optimize this into a regex and see how that will perform. That would be a hyperscan only optimization though, so for now I'm not willing to update the rule language for it. Rather it would happen behind the scenes.

Actions
Copy link
 #2

Updated by Jason Williams about 7 years ago

Understood, depending upon the use case that is how we do it now. Thanks!

Actions
Copy link
 #3

Updated by Andreas Herz almost 7 years ago

  • Status changed from New to Closed
  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #4

Updated by Victor Julien over 6 years ago

  • Target version deleted (TBD)
Actions
Copy link

Also available in: Atom PDF