Behavior of byte_extract as content modifier

Hey everybody,

I am a bit puzzled by the functionality of byte_extract when it is used as a content modifier. In the Suricata documentation it is written that the variable of byte_extract can also be used as numerical value for content modifiers like depth and offset. I understand the usage for byte_test as value, but I don’t get this modifier usage.

When some bytes are extracted via this method, what exactly is the numerical value that is used? The number of bytes that were extracted? The hex value of the extracted variable? Let’s say I have a mocked payload that just contains characters, for example “aaabbbccc” and I use the rule body byte_extract:1,0,key; content:“b”; offset:3; depth:key; - then on what “area” of the payload exactly does this content keyword now match? I thought it would match on the first b and only on the first b, but it still matches if I use content:“c”; which I don’t really understand.

Thanks in advance for the help.

This is from a test out of our suricata-verify repo:

alert tcp-pkt any any -> any any (msg:"byte extract test 1"; \
    byte_extract:2,0,two1,string,dec; content:"|33 34|"; offset:0; depth:two1; \
    sid:1; rev:1;)

The byte_extract is told to take 2 bytes at offset 0 and treat it as a decimal string. The stored value in the variable two1 will then be the number that it captured. So if the input bytes where 99 the variable two1 will be the number 99. In this example if will mean that depth will use a value of 99.

In general, the bytes that are extracted will be turned into a number. The keywords options determine how we go from the raw bytes to the numeric representation.

Thanks for your reply, that example makes it a lot clearer. The problem I had was the way how the rule got from the raw bytes to the numeric representation. So when for example these options with the decimal string are not there, as far as I see the extracted numerical value is now the decimal representation of the hex value of the bytes, which took me quite a while to figure out.

Also just as a note, it might be a good idea to update the Suricata documentation sooner or later because the options of your example are nowhere mentioned in the documentation as far as I see it.