Project

General

Profile

Actions

Feature #3626

closed

implement from_end byte_jump keyword

Added by Jason Taylor over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

from_end is documented:
https://suricata.readthedocs.io/en/suricata-5.0.2/rules/payload-keywords.html#byte-jump

however it is not implemented in the suricata code.

The following rule is shown as an example in the suricata docs:

alert tcp any any -> any any \
(msg:"Byte_Jump From the End -8 Bytes"; \
byte_jump:0,0, from_end, post_offset -8; \
content:"|6c 33 33 74|"; distance:0 within:4;)

when attempting to load the rule the following is logged:
Problem starting Suricata daemon: [2101] 8/4/2020 – 18:08:31 - (detect-bytejump.c:462) (DetectBytejumpParse) – [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unknown option: “from_end”

Actions #1

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 6.0.0beta1
Actions #2

Updated by Jeff Lucovsky over 1 year ago

  • Status changed from Assigned to In Review
Actions #3

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF