[Oisf-devel] Arithmetic Operators in signature
Peter Manev
petermanev at gmail.com
Mon Sep 19 22:04:20 UTC 2016
On Thu, Sep 1, 2016 at 10:21 PM, amit zala <impmails67 at gmail.com> wrote:
> Hi,
>
> I will extract specific bytes from packet, lets say A and B are the
> extracted variables.
> Now I want to check (A-7+B)/8 is less than 1000.
>
> Is there any way I can do that is signature itself?
I asked on the ET irc channel looking for some of the experienced rule
writers suggestions - the initial feedback that i got was that
((A-7+B)/8 < 1000) is not possible - but depending on the task
specifics - you might try to achieve that in another way/combination
(if permitting) use lua/pcre etc....
>
> Thanks
> Amit
>
> On Fri, Sep 2, 2016 at 1:48 AM, rmkml <rmkml at ligfy.org> wrote:
>>
>> Hi Amit,
>>
>> Not easy, depending your need,
>>
>> could you describe one example please ?
>>
>> For exemple use byte_test ? or use pcre relative ?
>>
>> Another is lua script for complex.
>>
>> Best Regards
>> @Rmkml
>>
>>
>>
>> On Thu, 1 Sep 2016, amit zala wrote:
>>
>>> Hi,
>>> Is there any way to use arithmetic operators (+ - * /) in signature?
>>> For example,
>>> I use byte_extract to extract some bytes, and then I want to multiply it
>>> by some static value and check if it crosses some limit? Is there any way to
>>> do it in signature itself?
>>> I searched into suricata guide but I was not able to find anything which
>>> satisfies this requirement.
>>>
>>> Thanks
>>> Amit
>>>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
--
Regards,
Peter Manev
More information about the Oisf-devel
mailing list