Project

General

Profile

Actions

Bug #4623

closed

byte_jump with negative post_offset value fails at the end of the buffer

Added by Jessie Leung about 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Quoting documentation for post_offset:
[post_offset] <value> After the jump operation has been performed, it will jump an additional number of bytes specified by <value>
post_offset works with negative values to jump the pointer back this value, and proceeding patterns can continue matching. It's useful as a negative distance value for relative PCRE following it in my use case.

For example, using attached [random_tcp.pcap]:

1. (success) the following signature matches up to the second last byte in the buffer in [random_tcp.pcap]. A negative post_offset is used and the following pcre matches up to the end of the buffer.
drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|3a 01 e8 ed 0f|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\x7c\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1000001; )

2. (success) we write a signature to match and move the pointer to the last byte, and we see that content does successfully match the last byte.
drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; sid:1000003; )

2. (failure) the following signature matches up to the last byte in the buffer as in 2. The same negative post_offset is used and we try to match values immediately after where the pointer should be. This signature does not match.
drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1000002; )

This is tested on 5.0.3.


Files

random_tcp.pcap (243 Bytes) random_tcp.pcap example capture of a single tcp packet Jessie Leung, 08/24/2021 06:06 PM

Subtasks 1 (0 open1 closed)

Bug #6378: byte_jump with negative post_offset value fails at the end of the buffer (6.0.x backport)ClosedShivani BhardwajActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #4624: byte_jump with negative post_offset before start of buffer failureClosedJeff LucovskyActions
Actions #1

Updated by Philippe Antoine over 1 year ago

  • Assignee set to OISF Dev
  • Target version set to 8.0.0-beta1
Actions #2

Updated by Victor Julien over 1 year ago

  • Related to Bug #4624: byte_jump with negative post_offset before start of buffer failure added
Actions #3

Updated by Victor Julien about 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jeff Lucovsky
Actions #4

Updated by Victor Julien about 1 year ago

  • Target version changed from 8.0.0-beta1 to 7.0.2
  • Label Needs backport to 6.0 added
Actions #5

Updated by OISF Ticketbot about 1 year ago

  • Subtask #6378 added
Actions #6

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #7

Updated by Victor Julien about 1 year ago

  • Target version changed from 7.0.2 to 7.0.3
Actions #8

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from Assigned to In Review
Actions #9

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from In Review to Resolved
Actions #10

Updated by Shivani Bhardwaj about 1 year ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF