[Oisf-users] having trouble byte_extract and isdataat

Harley H bobb.harley at gmail.com
Fri Oct 20 19:17:13 UTC 2017


Would it be better if I filed a bug report on this?

On Wed, Oct 18, 2017 at 2:18 PM, Harley H <bobb.harley at gmail.com> wrote:

> Hello,
>   I'm trying to write a rule which extracts a size field (single byte)
> using byte_extract then checks to make sure there is no data at that size
> by using a negated isdataat check.
>
> I contrived a pcap where byte offset 12 is the packet size and offset 13
> is the packet size + 1. So, I'd expect the following rules to cause alerts:
>
> alert tcp any any -> any any (msg:"isdataat data_size 103 - should alert";
>  byte_extract:1,12,data_size; isdataat:!data_size; sid:123129; rev:1;)
> alert tcp any any -> any any (msg:"isdataat data_size 104 - should alert";
>  byte_extract:1,13,data_size; isdataat:!data_size; sid:123130; rev:1;)
>
> However, they do not cause alerts. An alert is caused by removing the
> negation on isdataat.
>
>
> Attached is the sample pcap, the fast.log output, and the rules file. The
> rules file contains some additional rules than where described in this
> email to help illustrate the problem.
>
> I also added some SCLogDebug() output in detect-byte-extract.c and
> detect-engine-content-inspection.c to help give a better idea of the what
> the extracted and isdataat value checks are. It looks like the correct
> value is being extracted but when checked with isdataat it is zero.
> Although, I'm not entirely confident I've done that correctly but am happy
> to share and discuss if there is interest.
>
> Thanks,
>   Harley
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171020/ab5a0990/attachment-0002.html>


More information about the Oisf-users mailing list