Suricata

Julian Wecke wrote:

When doing a size comparison with dsize or bsize one might want to reference a variable extracted with byte_math or byte_extract.

An example use case: you have protocol with a size field. Such field you might want to compare with the payload/packet size. Either to ensure it's actually that protocol you are looking for or to detect anomalies indicating something like overflow attacks.

Alternatively having a to having that feature at dsize and bsize an implementation at byte_test to compare against those size values would be equality helpful.

Hey Julian -

I recently came across the same thing so am working towards a proper cure so that dsize can be compared to variables. I'm not sure if I will have the patience or not since it's Rust and I'm brand-new to Rust...

In the meantime, I figured out a kludge to work around this: use isdataat.

For example, you extract a length variable and add some fixed value to it using byte_math, saving the output to variable computedlength. Now you do isdataat:computedlength,<relative, depending on how you calculated your length and what your last content match was>. If there are bytes at that offset, then likely a buffer overflow or a different protocol, or whatever decision you come to based on how the protocol works. Probably the best bet is to compute the last offset you expect there to be payload at, then add 1, in your byte_math.

Hope that helps!