<div dir="ltr">Yea, I see this work in snort 2.9.6 and not in suri 4.0.0. I would open a ticket on this.<div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 20, 2017 at 2:17 PM, Harley H <span dir="ltr"><<a href="mailto:bobb.harley@gmail.com" target="_blank">bobb.harley@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Would it be better if I filed a bug report on this?</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 18, 2017 at 2:18 PM, Harley H <span dir="ltr"><<a href="mailto:bobb.harley@gmail.com" target="_blank">bobb.harley@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div> I'm trying to write a rule which extracts a size field (single byte) using byte_extract then checks to make sure there is no data at that size by using a negated isdataat check. </div><div><br></div><div>I contrived a pcap where byte offset 12 is the packet size and offset 13 is the packet size + 1. So, I'd expect the following rules to cause alerts:</div><div><br></div><div>alert tcp any any -> any any (msg:"isdataat data_size 103 - should alert"; byte_extract:1,12,data_size; isdataat:!data_size; sid:123129; rev:1;) </div><div>alert tcp any any -> any any (msg:"isdataat data_size 104 - should alert"; byte_extract:1,13,data_size; isdataat:!data_size; sid:123130; rev:1;) <br></div><div><br></div><div>However, they do not cause alerts. An alert is caused by removing the negation on isdataat. </div><div><br></div><div><br></div><div>Attached is the sample pcap, the fast.log output, and the rules file. The rules file contains some additional rules than where described in this email to help illustrate the problem. </div><div><br></div><div>I also added some SCLogDebug() output in detect-byte-extract.c and detect-engine-content-inspecti<wbr>on.c to help give a better idea of the what the extracted and isdataat value checks are. It looks like the correct value is being extracted but when checked with isdataat it is zero. Although, I'm not entirely confident I've done that correctly but am happy to share and discuss if there is interest. </div><div><br></div><div>Thanks,</div><div> Harley</div><div><br></div></div>
</blockquote></div><br></div>
</div></div><br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>