Feature #6649: Add a keyword to match on raw data within headers especially for protocols without a dedicated parser - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #6649

open

Add a keyword to match on raw data within headers especially for protocols without a dedicated parser

Added by Andreas Herz 4 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Effort:

high

Difficulty:

medium

Label:

Description

It would be helpful to have an additional keyword like the `content` one that would also match on headers of protocols after the TCP/UDP headers.

For example:

alert ip $HOME_NET any -> 224.0.0.5 any (msg:"TEST OSPF"; content:"|02 01|; sid: 1337; rev:1;)

wouldn't match on that part of the OSPF header, which is not seen as the packet/stream payload.
It would be one idea to have something like `ipv4.data`

I guess there are more examples that could be covered by such a keyword. This could also help for some cases where a protocol parser is too complicated to write.

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #6649

Add a keyword to match on raw data within headers especially for protocols without a dedicated parser