Project

General

Profile

Actions

Bug #4623

closed

byte_jump with negative post_offset value fails at the end of the buffer

Added by Jessie Leung over 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Quoting documentation for post_offset:
[post_offset] <value> After the jump operation has been performed, it will jump an additional number of bytes specified by <value>
post_offset works with negative values to jump the pointer back this value, and proceeding patterns can continue matching. It's useful as a negative distance value for relative PCRE following it in my use case.

For example, using attached [random_tcp.pcap]:

1. (success) the following signature matches up to the second last byte in the buffer in [random_tcp.pcap]. A negative post_offset is used and the following pcre matches up to the end of the buffer.
drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|3a 01 e8 ed 0f|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\x7c\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1000001; )

2. (success) we write a signature to match and move the pointer to the last byte, and we see that content does successfully match the last byte.
drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; sid:1000003; )

2. (failure) the following signature matches up to the last byte in the buffer as in 2. The same negative post_offset is used and we try to match values immediately after where the pointer should be. This signature does not match.
drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1000002; )

This is tested on 5.0.3.


Files

random_tcp.pcap (243 Bytes) random_tcp.pcap example capture of a single tcp packet Jessie Leung, 08/24/2021 06:06 PM

Subtasks 1 (0 open1 closed)

Bug #6378: byte_jump with negative post_offset value fails at the end of the buffer (6.0.x backport)ClosedShivani BhardwajActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #4624: byte_jump with negative post_offset before start of buffer failureClosedJeff LucovskyActions
Actions

Also available in: Atom PDF