Bug #4623
closedbyte_jump with negative post_offset value fails at the end of the buffer
Description
Quoting documentation for post_offset:[post_offset] <value> After the jump operation has been performed, it will jump an additional number of bytes specified by <value>
post_offset works with negative values to jump the pointer back this value, and proceeding patterns can continue matching. It's useful as a negative distance value for relative PCRE following it in my use case.
For example, using attached [random_tcp.pcap]:
1. (success) the following signature matches up to the second last byte in the buffer in [random_tcp.pcap]. A negative post_offset is used and the following pcre matches up to the end of the buffer.drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|3a 01 e8 ed 0f|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\x7c\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1000001; )
2. (success) we write a signature to match and move the pointer to the last byte, and we see that content does successfully match the last byte.drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; sid:1000003; )
2. (failure) the following signature matches up to the last byte in the buffer as in 2. The same negative post_offset is used and we try to match values immediately after where the pointer should be. This signature does not match.drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1000002; )
This is tested on 5.0.3.
Files
Updated by Philippe Antoine over 1 year ago
- Assignee set to OISF Dev
- Target version set to 8.0.0-beta1
Updated by Victor Julien over 1 year ago
- Related to Bug #4624: byte_jump with negative post_offset before start of buffer failure added
Updated by Victor Julien about 1 year ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 7.0.2
- Label Needs backport to 6.0 added
Updated by OISF Ticketbot about 1 year ago
- Label deleted (
Needs backport to 6.0)
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.2 to 7.0.3
Updated by Jeff Lucovsky about 1 year ago
- Status changed from Assigned to In Review
Closed by: https://github.com/OISF/suricata/pull/9695
Updated by Jeff Lucovsky about 1 year ago
- Status changed from In Review to Resolved
Updated by Shivani Bhardwaj about 1 year ago
- Status changed from Resolved to Closed