Feature #2075
closed
Wildcard matching in suricata hex content matching
Added by Jason Williams about 7 years ago.
Updated over 6 years ago.
Description
There could be use cases where being able to use wildcards in hex content would be useful, replacing the need for pcre.
example:
content:"watch me count|3a 20 00 01 02 ?? 04|";
I don't think we can do this. Content keyword is all about literal matching and changing this would have an profound impact of a lot of code and logic (and likely performance).
You can of course express this already like this:
content:"watch me count|3a 20 00 01 02|"; content:"|04|"; distance:1; within:1;
We're planning to experiment with Hyperscan to optimize this into a regex and see how that will perform. That would be a hyperscan only optimization though, so for now I'm not willing to update the rule language for it. Rather it would happen behind the scenes.
Understood, depending upon the use case that is how we do it now. Thanks!
- Status changed from New to Closed
- Assignee set to OISF Dev
- Target version set to TBD
- Target version deleted (
TBD)
Also available in: Atom
PDF