Project

General

Profile

Actions

Bug #6105

closed

byte_jump does not allow variable name to be used consistently

Added by Jason Taylor over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It doesn't appear that byte_jump allows the use of a variable name for the number of bytes but it is allowed for offset?

"The value in <var_name> can be used in any modifier that takes a number as an option and in the case of byte_test it can be used as a value."

alert tcp any any -> any any (msg:"byte_jump varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:!1,relative; classtype:bad-unknown; sid:1; rev:1;)

[50474 - Suricata-Main] 2023-05-30 21:01:43 Error: detect-bytejump: Malformed number of bytes: rpkt_len,0,relative
[50474 - Suricata-Main] 2023-05-30 21:01:43 Debug: detect-parse: "byte_jump" failed to setup
[50474 - Suricata-Main] 2023-05-30 21:01:43 Error: detect: error parsing signature "alert tcp any any -> any any (msg:"byte_jump varname test sig 1"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:!1,relative; classtype:bad-unknown; sid:1; rev:1;)" from file /home/jt/rules/test.rules at line 1

the following sig does load
alert tcp any any -> any any (msg:"byte_jump varname test sig 2"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:0,rpkt_len,relative; isdataat:!1,relative; classtype:bad-unknown; sid:2; rev:1;)

[50549 - Suricata-Main] 2023-05-30 21:05:44 Debug: detect: signature 2 loaded
[50549 - Suricata-Main] 2023-05-30 21:05:44 Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed

[50579 - W#01] 2023-05-30 21:06:07 Debug: detect-byte-extract: extracted value is 5
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: [BE] Fetched value for index 0: 5
[50582 - FR#01] 2023-05-30 21:06:07 Debug: flow-manager: woke up...
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: Entering ... >>
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: byte_jump offset is: 5
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect-bytejump: Entering ... >>

I added some additional logging to my setup to get the debug information for byte_jump values but we can see the byte_jump offset is 5 for the second signature which is our rpkt_len value from the byte extract in the attached pcap.


Files

240d9c750e7c942.pcap (527 Bytes) 240d9c750e7c942.pcap Jason Taylor, 05/30/2023 09:11 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Feature #6144: byte_test: allow variable name for nbytesClosedJeff LucovskyActions
Actions

Also available in: Atom PDF