Project

General

Custom queries

Profile

Actions
Copy link

Bug #6105

closed

byte_jump does not allow variable name to be used consistently

Added by Jason Taylor about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
7.0.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

It doesn't appear that byte_jump allows the use of a variable name for the number of bytes but it is allowed for offset?

"The value in <var_name> can be used in any modifier that takes a number as an option and in the case of byte_test it can be used as a value."

alert tcp any any -> any any (msg:"byte_jump varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:!1,relative; classtype:bad-unknown; sid:1; rev:1;)

[50474 - Suricata-Main] 2023-05-30 21:01:43 Error: detect-bytejump: Malformed number of bytes: rpkt_len,0,relative
[50474 - Suricata-Main] 2023-05-30 21:01:43 Debug: detect-parse: "byte_jump" failed to setup
[50474 - Suricata-Main] 2023-05-30 21:01:43 Error: detect: error parsing signature "alert tcp any any -> any any (msg:"byte_jump varname test sig 1"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:!1,relative; classtype:bad-unknown; sid:1; rev:1;)" from file /home/jt/rules/test.rules at line 1

the following sig does load
alert tcp any any -> any any (msg:"byte_jump varname test sig 2"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:0,rpkt_len,relative; isdataat:!1,relative; classtype:bad-unknown; sid:2; rev:1;)

[50549 - Suricata-Main] 2023-05-30 21:05:44 Debug: detect: signature 2 loaded
[50549 - Suricata-Main] 2023-05-30 21:05:44 Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed

[50579 - W#01] 2023-05-30 21:06:07 Debug: detect-byte-extract: extracted value is 5
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: [BE] Fetched value for index 0: 5
[50582 - FR#01] 2023-05-30 21:06:07 Debug: flow-manager: woke up...
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: Entering ... >>
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: byte_jump offset is: 5
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect-bytejump: Entering ... >>

I added some additional logging to my setup to get the debug information for byte_jump values but we can see the byte_jump offset is 5 for the second signature which is our rpkt_len value from the byte extract in the attached pcap.

Files

240d9c750e7c942.pcap (527 Bytes) 240d9c750e7c942.pcap Jason Taylor, 05/30/2023 09:11 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Feature #6144: byte_test: allow variable name for nbytesClosedJeff LucovskyActions
#1

Updated by Jason Taylor about 2 years ago

  • Subject changed from byte_jump does not allow variable name to be used to byte_jump does not allow variable name to be used consistently
#2

Updated by Victor Julien about 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jeff Lucovsky
  • Priority changed from Normal to Low
  • Target version changed from TBD to 7.0.0-rc2
#3

Updated by Jeff Lucovsky about 2 years ago

  • Status changed from Assigned to In Progress
#9

Updated by Jeff Lucovsky almost 2 years ago

  • Copied to Feature #6144: byte_test: allow variable name for nbytes added
#10

Updated by Victor Julien almost 2 years ago

  • Target version changed from 7.0.0-rc2 to 7.0.0
#11

Updated by Jeff Lucovsky almost 2 years ago

  • Status changed from In Progress to In Review
#13

Updated by Victor Julien almost 2 years ago

  • Status changed from In Review to Closed
  • Priority changed from Low to Normal
Actions
Copy link

Also available in: Atom PDF