Bug #6070: byte_match: Multiplication operator not supported - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6070

closed

byte_match: Multiplication operator not supported

Added by Jeff Lucovsky 12 months ago. Updated 10 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

6.0.13

Affected Versions:

6.0.12

Effort:

Difficulty:

Label:

Description

On Suricata 6.0.x, the byte_math multiplication operator is not

 $ cat bm.rule
alert tcp any any -> any 44818 (msg:"Alert PLC Allen Bradley"; byte_math:bytes 1, offset 46,oper *,rvalue 2, result var, string dec; content:"|20 6b|"; offset:47; depth:var; sid:10001; rev:1;)
jlucovsky@ ~/src/jal/master-6.0.x (master-6.0.x) $ src/suricata -T -c suricata.yaml -S bm.rule
18/5/2023 -- 08:25:26 - <Info> - Running suricata under test mode
18/5/2023 -- 08:25:26 - <Notice> - This is Suricata version 6.0.12 RELEASE running in SYSTEM mode
18/5/2023 -- 08:25:26 - <Error> - [ERRCODE: SC_ERR_PCRE_PARSE(7)] - byte_math parse error; invalid value: ret -1, string "bytes 1, offset 46,oper *,rvalue 2, result var, string dec" 
18/5/2023 -- 08:25:26 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> any 44818 (msg:"Alert PLC Allen Bradley"; byte_math:bytes 1, offset 46,oper *,rvalue 2, result var, string dec; content:"|20 6b|"; offset:47; depth:var; sid:10001; rev:1;) " from file bm.rule at line 1
18/5/2023 -- 08:25:26 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
18/5/2023 -- 08:25:26 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.