Suricata

Hopefully pretty self-explanatory.

I was testing a rule like this:

alert tcp-pkt any any -> any any (msg:"Extract a flowint from a packet?"; byte_extract:2,0,mysmint; flowint:myflowint,=,mysmint; sid:1; )

The above rule 'works' but of course the behaviour of flowint is to assign to look up the 'target' value mysmint only from the list of flow variables and pktvars. Since mysmint is not either of these types, flowint assigns 0 to the value.

I coded up a patch for this already. It requires modifications to detect-flowint.h and detect-flowint.c. In detect-flowint.h, we now pass the Signature pointer to DetectFlowintParse(). DetectFlowintParse now attempts to look up the target variable (if it's a string) first by using DetectByteRetrieveSMVar(). If this retrieval is successful, DetectFlowintParse assigns the target variable a new type (FLOWINT_TARGET_BYTEVAR), and assigns a new integer value to be the SMVar index of the variable in the SMVar array.

Up in DetectFlowintMatch(), we check the type of the target variable. If it is a FLOWINT_TARGET_VAR, the behaviour is exactly as before: first look it up in the list of flowints, and if not found assign 0. If it is the new FLOWINT_TARGET_BYTEVAR, we obtain the value using det_ctx->byte_values[sfd->target.tvar.byteindex] .

I don't think this code has too much impact on the cpu intensity or even the data storage of flowints. It does require one additional integer stored (the tvar.byteindex, a uint8_t). CPU performance should be neglible, it is just one additional conditional check.

Adding this to the rule language will really help write some crazy-cool rules btw...