Project

General

Profile

Actions

Documentation #6694

open

placement of bitmask note about right shift behavior

Added by Brandon Murphy 10 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue, Outreachy

Description

byte_test has a snippet bout the right shift in the main keyword doc
https://docs.suricata.io/en/latest/rules/payload-keywords.html#byte-test

The <bitmask value> is applied to the extracted bytes (before the operator is applied), and the final result will be right shifted one bit for each trailing 0 in the <bitmask value>.

but byte_math and byte_jump has it in the table with a description of each keyword option.

i think byte_test should be updated to include the note in the table to match byte_math and byte_jump.


Files

clipboard-202409241726-j3eyi.png (19.8 KB) clipboard-202409241726-j3eyi.png Juliana Fajardini Reichow, 09/24/2024 08:26 PM
clipboard-202409241728-jhzx1.png (11.6 KB) clipboard-202409241728-jhzx1.png Juliana Fajardini Reichow, 09/24/2024 08:28 PM
Actions #1

Updated by Brandon Murphy 10 months ago

  • Status changed from In Progress to New

Updated by Juliana Fajardini Reichow about 2 months ago

Adding to the description:

Currently, the bitmask row for the byte_test keyword looks like:

For this task to be considered completed, the byte_test's table bitmask row should look a bit more like:

(but with the correct info that is mentioned in the ticket description).

Actions

Also available in: Atom PDF