Project

General

Profile

Actions

Feature #5657

open

byte_test: allow comparison with static value

Added by Juliana Fajardini Reichow 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

If one wants to compare two specific portions of the packet stream to a static value, after some byte_math operation, for instance,
that's not possible with the current state of the Suricata rules language.

It would be a nice addition to be able to do so.

Expected:

allow usage of 'value_compare: val1, val2, op' by the rule language, with byte_test.

Actions #1

Updated by Nicolas Bockmuehl 3 months ago

In the first use case we want to extract the value from Byte A and Byte B and sum them up. The sum is always the value 300.
At the moment it is not possible to compare the result from Byte-A + Byte-B to a static value. (Like here the 300.)
The byte_test also don't allow to compare a value to a static value (Like the 300)

It would be nice to introduce a function, which is able to compare two values. Also static values should be allowed.
value_compare: val1, val2, op -> value_compare(result_from_sum_A_and_B, 300, =)

In the second use case we want to detect a packet where in the first two bytes the packet length of the whole packet stored. Here it would be helpful to use a value_compare function. If such a function exists we could extract the value from the first two bytes and the packet size and compare these two in the value_compare function. -> value_compare(extracted_length_from_first_bytes, packet_size, =)

Actions

Also available in: Atom PDF