Information Security Asked by Khalid on January 18, 2021
I have written the following rule in my Suricata rules file:
alert tcp any any <> any any (flow:established; content:"|65|"; offset:0; depth:1; byte_test:1, =, 3, 2, bitmask 0x03; msg:"detected"; classtype:bad-unknown; sid:222; rev:1; priority:1;)
But it shows the following error because of the bitmask:
...
[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1, =, 3, 2, bitmask 0x03
...
I have found some examples in the Suricata documentation but none of them mention the way to properly use bitmask with the comparison operator.
My question is, what is the proper way to use the bitmask keyword? and why is it not working in the rule I have shown?
It is unknown what version you are using, but I will assume that you are not using a beta version. bitmask was only recently implemented in 6.0.0-beta1 and is at the time of this writing not available in a stable version. The option was documented much earlier though, i.e. there was a bug in that it was documented but not actually implemented. For details see Ticket 3283 and the ChangeLog where you should search for "#3283" to find out when it was fixed.
Correct answer by Steffen Ullrich on January 18, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP