Suricata

Currently, byte_* keywords are only useable within the same buffer and you cannot (as far as I am aware) use values from a byte_* keyword elsewhere in a rule.

For example - we were working on a signature that checks Content-Length values in POST requests to then use that value in the HTTP POST body to verify whether the length of the body matches what is stated in the Content-Length header. The only way to achieve this with byte_* keywords is to unbuffer the whole signature, causing a nasty hit to an already poor performing signature.

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Content-Length Experiments"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|"; byte_extract:1,0,content_len,relative,string,dec; content:"|0d 0a 0d 0a|"; isdataat:!content_len,relative; http.method; content:"POST"; classtype:misc-activity; sid:1000000; rev:1;)

Above is a basic test that looks for a POST request, takes the value of Content-Length (1 byte in this case, very small request) with byte_extract, assigns it to the 'content_len' variable, skips ahead to the delimiter that separates HTTP header and HTTP body (\r\n\r\n), and checks whether there are bytes relative from the beginning, at the offset value defined in 'content_len'.

It would be great if we could un-restrict byte_* keywords for examples such as this so that we can utilise the correct buffer such as http.content_len; and http.request_body;