Project

General

Profile

Actions

Feature #3626

closed

implement from_end byte_jump keyword

Added by Jason Taylor over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

from_end is documented:
https://suricata.readthedocs.io/en/suricata-5.0.2/rules/payload-keywords.html#byte-jump

however it is not implemented in the suricata code.

The following rule is shown as an example in the suricata docs:

alert tcp any any -> any any \
(msg:"Byte_Jump From the End -8 Bytes"; \
byte_jump:0,0, from_end, post_offset -8; \
content:"|6c 33 33 74|"; distance:0 within:4;)

when attempting to load the rule the following is logged:
Problem starting Suricata daemon: [2101] 8/4/2020 – 18:08:31 - (detect-bytejump.c:462) (DetectBytejumpParse) – [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unknown option: “from_end”

Actions

Also available in: Atom PDF