Project

General

Profile

Actions

Feature #6831

open

support extraction of bytes of non-numeric values

Added by Brandon Murphy 10 months ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Use Case:

Consider the following HTTP request. I would like to write detection logic that ensures the 32 byte string that occurs in the URI is also found within the Cookie Value.

GET /example/path?foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://example.com
Cookie: foo=Pn5tRZrj12eSWFx4qL7cAeyzvKl90O6G

reference: https://forum.suricata.io/t/byte-extract-byte-test-string-limits/4511/3

Current and Attempted Methods:

Currently the only way to accomplish this detection logic (with PCRE capture groups) has many limitations/considerations
1) within a single buffer (http.start works in this example)
- this won't work with HTTP/2 traffic
2) via capture groups within PCRE. This can be pretty costly.

I attempted to use the byte_extract/byte_test, which did work, but was limited to 20 byte as noted within the discourse convo. the keyword performance of the byte_extract/byte_test combo was about half as many ticks as using the PCRE capture groups.

Proposed Solution:
I won't bother with suggesting how this should be solved, but more details of the use case are required please let me know.

P.S. - I'm not sure what to "call" this request, so feel free to change the subject to more accurately reflect whatever this is.


Related issues 2 (2 open0 closed)

Related to Suricata - Feature #7321: cross buffer byte_* keyword supportNewOISF DevActions
Related to Suricata - Task #7336: Suricon 2024 brainstormNewVictor JulienActions
Actions

Also available in: Atom PDF