Bug #6105
closedbyte_jump does not allow variable name to be used consistently
Description
It doesn't appear that byte_jump allows the use of a variable name for the number of bytes but it is allowed for offset?
"The value in <var_name> can be used in any modifier that takes a number as an option and in the case of byte_test it can be used as a value."
alert tcp any any -> any any (msg:"byte_jump varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:!1,relative; classtype:bad-unknown; sid:1; rev:1;)
[50474 - Suricata-Main] 2023-05-30 21:01:43 Error: detect-bytejump: Malformed number of bytes: rpkt_len,0,relative
[50474 - Suricata-Main] 2023-05-30 21:01:43 Debug: detect-parse: "byte_jump" failed to setup
[50474 - Suricata-Main] 2023-05-30 21:01:43 Error: detect: error parsing signature "alert tcp any any -> any any (msg:"byte_jump varname test sig 1"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:!1,relative; classtype:bad-unknown; sid:1; rev:1;)" from file /home/jt/rules/test.rules at line 1
the following sig does load
alert tcp any any -> any any (msg:"byte_jump varname test sig 2"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,0,rpkt_len,relative; byte_jump:0,rpkt_len,relative; isdataat:!1,relative; classtype:bad-unknown; sid:2; rev:1;)
[50549 - Suricata-Main] 2023-05-30 21:05:44 Debug: detect: signature 2 loaded
[50549 - Suricata-Main] 2023-05-30 21:05:44 Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect-byte-extract: extracted value is 5
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: [BE] Fetched value for index 0: 5
[50582 - FR#01] 2023-05-30 21:06:07 Debug: flow-manager: woke up...
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: Entering ... >>
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect: byte_jump offset is: 5
[50579 - W#01] 2023-05-30 21:06:07 Debug: detect-bytejump: Entering ... >>
I added some additional logging to my setup to get the debug information for byte_jump values but we can see the byte_jump offset is 5 for the second signature which is our rpkt_len value from the byte extract in the attached pcap.
Files