Project

General

Profile

Actions

Bug #3283

closed

bitmask option of payload-keyword byte_test not working

Added by Achim Hofmann over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The documentation [1] for the payload-keyword byte_test claims that there should be a "bitmask" option. However, I haven't managed to write a working rule making use of it, yet.

For example, the following rule...
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST-RULE duckduckgo.com"; flow:to_server,established; content:"duckduckgo.com"; fast_pattern:only; http_header; byte_test:3,=,0x343433,1,relative,bitmask 0xFFFFFF; sid:500; rev:1;)

...results in error message:
[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 3,=,0x343433,1,relative,bitmask 0xFFFFFF

Without the bitmask option the rule works fine.

[1] https://suricata.readthedocs.io/en/suricata-5.0.0/rules/payload-keywords.html#byte-test

Actions #1

Updated by Victor Julien over 4 years ago

  • Assignee set to Jeff Lucovsky
  • Target version set to 6.0.0beta1

Quick look suggests this is simply not implemented.

Jeff could you look at how involved this would be to support? We can then decide to support it in 5.0.x or 6.0beta1. In the latter case we may have to remove documentation ref to it.

Actions #2

Updated by Victor Julien about 4 years ago

  • Status changed from New to In Review
Actions #3

Updated by Jeff Lucovsky about 4 years ago

Merged into master on 3/22/2020

Actions #4

Updated by Victor Julien over 3 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF