Feature #2311
closedmath on extracted values
Added by Victor Julien about 7 years ago. Updated over 4 years ago.
Updated by Victor Julien about 7 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
Updated by Victor Julien over 6 years ago
We need feedback on what usecases would need to be added/supported.
Updated by Victor Julien over 6 years ago
- Effort set to low
- Difficulty set to medium
Updated by David Wharton over 6 years ago
While Suricata has matured to the point where it should be defining IDS rule capabilities instead of reacting to other vendors, I think in this case it makes sense to try to make this compatible with the existing Snort 'byte_math' keyword.
Format:
byte_math:bytes <bytes_to_extract>, offset <offset_value>, oper <operator>,
rvalue <r_value>, result <result_variable> [, relative]
[, endian <endian>] [, string <number type>][, dce]
[, bitmask <bitmask_value>];
Ref: Snort 2.9.9.0 manual, section 3.5.34
This keyword is functionally different but structurally similar (not exact) to other 'byte_*' keywords such as 'byte_test', 'byte_extract' and 'byte_jump'.
Cross-variable buffer usage should be allowed, however this may be a challenge (or secondary goal) since currently cross-buffer byte extraction and usage isn't currently supported.
Updated by Victor Julien almost 6 years ago
- Assignee set to Community Ticket
- Priority changed from Low to Normal
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Jeff Lucovsky
- Target version changed from TBD to 6.0.0beta1
Updated by Victor Julien almost 5 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky over 4 years ago
Updated by Jeff Lucovsky over 4 years ago
- Status changed from In Review to Closed