Project

General

Profile

Actions
Copy link

Feature #3626

closed

implement from_end byte_jump keyword

Added by Jason Taylor over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
6.0.0beta1
Effort:
Difficulty:
Label:

Description

from_end is documented:
https://suricata.readthedocs.io/en/suricata-5.0.2/rules/payload-keywords.html#byte-jump

however it is not implemented in the suricata code.

The following rule is shown as an example in the suricata docs:

alert tcp any any -> any any \
(msg:"Byte_Jump From the End -8 Bytes"; \
byte_jump:0,0, from_end, post_offset -8; \
content:"|6c 33 33 74|"; distance:0 within:4;)

when attempting to load the rule the following is logged:
Problem starting Suricata daemon: [2101] 8/4/2020 – 18:08:31 - (detect-bytejump.c:462) (DetectBytejumpParse) – [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unknown option: “from_end”

Actions
Copy link
 #1

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 6.0.0beta1
Actions
Copy link
 #2

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from Assigned to In Review
Actions
Copy link
 #3

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF