Bug #8458: detect/variable: warn if rules try to use byte vars before they're extracted - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #8458

open

detect/variable: warn if rules try to use byte vars before they're extracted

Bug #8458: detect/variable: warn if rules try to use byte vars before they're extracted

Added by Jeff Lucovsky about 10 hours ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

When a rule contains buffers with progress values that would cause a byte variable to be used before it is produced, a warning (or error?) should be flagged:

Here's an example rule. http.uri has a lower progress val and would match first but val hasn't been produced yet. file.data has a higher progress value.

  alert http any any -> any any (
      file.data; content:"x"; byte_extract:1,0,val,relative;
      http.uri;  content:"y"; byte_test:1,=,val,0;
      sid:1;)

Related issues 1 (1 open — 0 closed)

JL Updated by Jeff Lucovsky about 10 hours ago Actions
Copy link
#1

Related to Feature #7801: rules: support multi-buffer byte variables added

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #8458

detect/variable: warn if rules try to use byte vars before they're extracted

JL Updated by Jeff Lucovsky about 10 hours ago Actions
Copy link
#1

Project

General

Profile

Suricata

Custom queries

Bug #8458

detect/variable: warn if rules try to use byte vars before they're extracted

JL Updated by Jeff Lucovsky about 10 hours ago ActionsCopy link #1

JL Updated by Jeff Lucovsky about 10 hours ago Actions
Copy link
#1