Project

General

Profile

Actions
Copy link

Bug #158

closed

byte_test + relative modifer doesn't work when previous keyword is byte_jump

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Gurvinder Singh
Target version:
0.9.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata does not support byte_test,relative when the previous keyword is byte_jump. This is supported in snort and works. We should support the same.

alert tcp any any -> any any (msg:"content + byte_test + relative"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,dec; classtype:bad-unknown; sid:777; rev:1;)

src/suricata -s blah.rules -r /home/coz/rules4/allworkandnoplayplain.pcap -l ./ -c suricata.yaml

[17457] 13/5/2010 -- 13:05:29 - (detect-bytetest.c:538) <Error> (DetectBytetestSetup) -- [ERRCODE: SC_ERR_BYTETEST_MISSING_CONTENT(104)] - relative bytetest match needs a previous content option
[17457] 13/5/2010 -- 13:05:29 - (detect.c:297) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp any any -> any any (msg:"content + byte_test + relative"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,dec; classtype:bad-unknown; sid:777; rev:1;)" from file blah.rules at line 1

Files

Download all files
allworkandnoplayplain.pcap (2.7 KB) allworkandnoplayplain.pcap All work and no play pcap for testing byte_jump + byte_test,relative Will Metcalf, 05/13/2010 12:19 PM
0002-support-setting-up-byte_test-relative-when-byte_jumo.patch (4.02 KB) 0002-support-setting-up-byte_test-relative-when-byte_jumo.patch Gurvinder Singh, 05/15/2010 01:49 PM
0003-support-setting-up-byte_jump-relative-when-byte_test.patch (1.99 KB) 0003-support-setting-up-byte_jump-relative-when-byte_test.patch Gurvinder Singh, 05/15/2010 01:49 PM
Actions
Copy link

Also available in: Atom PDF