Project

General

Profile

Actions
Copy link

Bug #5077

closed

byte_math rule options need to be in order or will fail otherwise

Added by Andreas Herz over 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
7.0.0-beta1
Affected Versions:
6.0.4
Effort:
Difficulty:
Label:

Description

If a rule write doesn't follow the order in the table of https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html#byte-math it will run into a parsing error

alert tcp any any -> any any (msg:"Byte-math test"; ipv4.hdr; byte_math:bytes 4, offset 72, oper +, rvalue 77, endian little, result result_val; tcp.hdr; byte_test: 1, =, 0x88, 1, relative; sid:1;)

results in 

<Error> - [ERRCODE: SC_ERR_PCRE_PARSE(7)] - byte_math parse error; invalid value: ret -1, string "bytes 4, offset 72, oper +, rvalue 77, endian little, result result_val"

while the correct order works

alert tcp any any -> any any (msg:"Byte-math test"; ipv4.hdr; byte_math:bytes 4, offset 72, oper +, rvalue 77, result result_val, endian little; tcp.hdr; byte_test: 1, =, 0x88, 1, relative; sid:1;)

The test rules swap the endian and result option.

The root cause is IMHO the regex used in src/detect-bytemath.c

Actions
Copy link

Also available in: Atom PDF