Feature #2311
closedmath on extracted values
VJ Updated by Victor Julien over 8 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
VJ Updated by Victor Julien almost 8 years ago
We need feedback on what usecases would need to be added/supported.
VJ Updated by Victor Julien over 7 years ago
- Effort set to low
- Difficulty set to medium
DW Updated by David Wharton over 7 years ago
While Suricata has matured to the point where it should be defining IDS rule capabilities instead of reacting to other vendors, I think in this case it makes sense to try to make this compatible with the existing Snort 'byte_math' keyword.
Format:
byte_math:bytes <bytes_to_extract>, offset <offset_value>, oper <operator>,
rvalue <r_value>, result <result_variable> [, relative]
[, endian <endian>] [, string <number type>][, dce]
[, bitmask <bitmask_value>];
Ref: Snort 2.9.9.0 manual, section 3.5.34
This keyword is functionally different but structurally similar (not exact) to other 'byte_*' keywords such as 'byte_test', 'byte_extract' and 'byte_jump'.
Cross-variable buffer usage should be allowed, however this may be a challenge (or secondary goal) since currently cross-buffer byte extraction and usage isn't currently supported.
VJ Updated by Victor Julien about 7 years ago
- Assignee set to Community Ticket
- Priority changed from Low to Normal
VJ Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Jeff Lucovsky
- Target version changed from TBD to 6.0.0beta1
VJ Updated by Victor Julien about 6 years ago
- Status changed from Assigned to In Review
JL Updated by Jeff Lucovsky almost 6 years ago
JL Updated by Jeff Lucovsky over 5 years ago
- Status changed from In Review to Closed