Bug #3283
closedbitmask option of payload-keyword byte_test not working
Description
The documentation [1] for the payload-keyword byte_test claims that there should be a "bitmask" option. However, I haven't managed to write a working rule making use of it, yet.
For example, the following rule...
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST-RULE duckduckgo.com"; flow:to_server,established; content:"duckduckgo.com"; fast_pattern:only; http_header; byte_test:3,=,0x343433,1,relative,bitmask 0xFFFFFF; sid:500; rev:1;)
...results in error message:
[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 3,=,0x343433,1,relative,bitmask 0xFFFFFF
Without the bitmask option the rule works fine.
[1] https://suricata.readthedocs.io/en/suricata-5.0.0/rules/payload-keywords.html#byte-test
Updated by Victor Julien about 5 years ago
- Assignee set to Jeff Lucovsky
- Target version set to 6.0.0beta1
Quick look suggests this is simply not implemented.
Jeff could you look at how involved this would be to support? We can then decide to support it in 5.0.x or 6.0beta1. In the latter case we may have to remove documentation ref to it.
Updated by Victor Julien almost 5 years ago
- Status changed from New to In Review
Updated by Victor Julien over 4 years ago
- Status changed from In Review to Closed