[Oisf-users] having trouble byte_extract and isdataat

Harley H bobb.harley at gmail.com
Wed Oct 18 18:18:37 UTC 2017 

Hello,
  I'm trying to write a rule which extracts a size field (single byte)
using byte_extract then checks to make sure there is no data at that size
by using a negated isdataat check.

I contrived a pcap where byte offset 12 is the packet size and offset 13 is
the packet size + 1. So, I'd expect the following rules to cause alerts:

alert tcp any any -> any any (msg:"isdataat data_size 103 - should alert";
 byte_extract:1,12,data_size; isdataat:!data_size; sid:123129; rev:1;)
alert tcp any any -> any any (msg:"isdataat data_size 104 - should alert";
 byte_extract:1,13,data_size; isdataat:!data_size; sid:123130; rev:1;)

However, they do not cause alerts. An alert is caused by removing the
negation on isdataat.


Attached is the sample pcap, the fast.log output, and the rules file. The
rules file contains some additional rules than where described in this
email to help illustrate the problem.

I also added some SCLogDebug() output in detect-byte-extract.c and
detect-engine-content-inspection.c to help give a better idea of the what
the extracted and isdataat value checks are. It looks like the correct
value is being extracted but when checked with isdataat it is zero.
Although, I'm not entirely confident I've done that correctly but am happy
to share and discuss if there is interest.

Thanks,
  Harley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171018/ed281627/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Byte_extract_isdataat_test.pcap
Type: application/octet-stream
Size: 721 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171018/ed281627/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testing.rules
Type: application/octet-stream
Size: 1186 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171018/ed281627/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fast.log
Type: application/octet-stream
Size: 663 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171018/ed281627/attachment-0002.obj>

More information about the Oisf-users mailing list