How i can use byte_math only with variable

I want extract 1 byte with byte_extract. Then variable from byte_extract use in byte_math for calculate.
But in documentation says that:
byte_math:bytes | , offset , oper , rvalue , \
result <result_var> [, relative] [, endian ] [, string ] \
[, dce] [, bitmask ];

if i take variable-name from byte_extract, that i don’t need use offset or need to use offset in byte_math?
If i need to use offset anyway in byte_math, say me why? and what offset do? because i take and calculate variable, NOT bytes.

byte_math uses 2 values – one of them is rvalue where you’d specify the variable from byte_extract … the second value is specified by a combination of the bytes and offset values.

Here’s an example rule that uses a variable from byte_extract:

alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper -, rvalue extracted_val, result var;byte_test: 1, <, var, 9;msg:\
"Byte extract and byte math with byte test verification\
";sid:1;)

Hello Jeff!
Thanks for answer!

Can i expand the question:
I understand your example! Your byte_math in the example uses bytes, not a variable. In the documentation, as I said earlier, you can use bytes num of bytes | variable-name at the beginning of the byte_math. My question is that I don’t understand how I can use ONLY . I’ll give you an example ( ICS-pcap/S7/4-S7comm-Download-DB1-with-password-request at master · automayt/ICS-pcap · GitHub ):


1- The length of the “ISO 8073/X.224 COTP Connection-Oriented Transport Protocol” is specified
2- The length of the “Parameter” tree is specified
I want to make a rule so that the content has 32 07, then that the Return code is detected in the Data tree (Return code: Object does not exist 0x0a). So I imagine in my head that I need to take length under the number 1 and parameter length under the number 2. Calculate how much I need to offset from the beginning of the payload to the beginning of the Data tree. The only idea that came to me was to count 2 values using byte_math, because the documentation says that variables can be used. So I thought it would be possible to do this:
alert tcp any 102 → any any (msg:" s7comm Response Error"; flow:established,to_client; byte_math:bytes 1, offset 4, oper +, rvalue 14, result 1st_math; byte_extract:2,4,1st_extract,relative; byte_math: bytes 1st_math, offset 0, oper +, rvalue 1st_extract, result 2nd_math , relative; content:“|0a|”; offset: test_offset; depth:1; sid:1;)
My first byte_math will calculate the length of the “ISO 8073/X.224 COTP Connection-Oriented Transport Protocol” tree and add 14 bytes. byte_extract will extract the length of the “Parameter” tree. My second byte_math should sum up the results of 1st_math and 1st_extract. I thought so because the documentation says:

number of bytes selected from the packet or the name of a **byte_extract variable
**
The above example rule will not work.

This is just an example! The main purpose of my question is can I count 2 variables in byte_math (bytes 1st_math, offset 0, oper +, rvalue 1st_extract, result 2nd_math , relative;)?
And why can’t I byte_math just count 2 variables? If I can’t, then why does the documentation say that i can take the byte_extract variable?

I stand corrected – sorry, I had forgotten I had added this feature 2 years ago

Yes, you can use a variable name for the bytes value. Your question about the offset is valid – why is it needed to locate the item if it comes from a variable. Use an offset value of 0.

No.
Your variant:
alert tcp any any → any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper -, rvalue extracted_val, result var;byte_test: 1, <, var, 9;msg:\ “Byte extract and byte math with byte test verification\ “;sid:1;)
My variant:
alert tcp any 102 → any any (msg:” s7comm Response Error”; flow:established,to_client; byte_math:bytes 1, offset 4, oper +, rvalue 14, result 1st_math; byte_extract:2,4,1st_extract,relative; byte_math: bytes 1st_math, offset 0, oper +, rvalue 1st_extract, result 2nd_math , relative; content:“|0a|”; offset: 2nd_math; depth:1; sid:1;)
Do you see? I want choice variable frome byte_extract for byte_math and count TWO VARIABLES.

my question is:


In documentation says, that i can choice for num of bytes variable name by byte_extract.
In your example you choice variable in byte_math for rvalue, NOT for num of bytes.

please download pcap ICS-pcap/S7/4-S7comm-Download-DB1-with-password-request at master · automayt/ICS-pcap · GitHub
i need detect error in frame 49 byte |0a|
i wrote rule with byte_math with two variable count:
alert tcp any 102 → any any (msg:“s7comm Error”;
flow:established,to_client;
byte_math:bytes 1,offset 4,oper +,rvalue 15,result offset_parameter_length;
byte_math:bytes 1,offset 4,oper +,rvalue 5,result offset_math;
content:“|32 07|”; offset:offset_math; depth:2; fast_pattern;
byte_extract:2,4,result_extract,relative;
byte_math: bytes offset_parameter_length, offset 0, oper +, rvalue result_extract, result offset_error;
content:“|0a|”; offset:offset_error;
sid:7002938; classtype:protocol-command-decode; rev:1;)

Syntaxis of this rule is correct and suricata accept it. But it does not work.
i need catch byte |0a| in offset 39.
byte_math:bytes 1,offset 4,oper +,rvalue 15,result offset_parameter_length; - it’s 17
byte_extract:2,4,result_extract,relative; - it’s 12
byte_math: bytes offset_parameter_length, offset 0, oper +, rvalue result_extract, result offset_error; - must be 39, but if i play this rule? it does not work. I have checked first byte_math whose save var “offset_parameter_length” and have checked byte_extract whose save var “result_extract”. The values of their variables are the same as what I calculated (17 and 12 accordingly). But when i calculate their in second byte_math, whose save var “offset_error”, i don’t get the 39 value.

I apologize if I’m not asking the questions correctly enough. Thank you so much for your answers!

@Jeff_Lucovsky Jeff can you answer on my question?

What should the value of offset_parameter_length be? I’m showing it as 12.

Is that the correct value?

No. Not 12.
Look at pcap-file “4-S7comm-Download-DB1-with-password-request.pcap“ in ICS-pcap/S7/4-S7comm-Download-DB1-with-password-request at master · automayt/ICS-pcap · GitHub on 49 frame.
byte_math:bytes 1,offset 4,oper +,rvalue 15,result offset_parameter_length; -


2 +15 = 17
byte_extract:2,4,result_extract,relative; (relative “content:“|32 07|”;”) -

extract 00 0c or 12

Thanks … I’m continuing to look into this.

Can you provide the values for the other variables to expedite?

  • offset_math
  • result_extract
  • offset_error
  • offset_parameter_length = 17
  • offset_math= 7 (byte_math:bytes 1,offset 4,oper +,rvalue 5,result offset_math;)

  • result_extract= 12 (content:“|32 07|”; offset:offset_math; depth:2; fast_pattern;
    byte_extract:2,4,result_extract,relative;)

  • offset_error= ? i don’t now. that why i wrote here. i think that offset_error must be 29 or (12+17)

  • offset_parameter_length = 17

@Jeff_Lucovsky

@Jeff_Lucovsky ? do you have an idea?

Is this snippet correct – The value of offset_parameter_length is 17 so this is byte_math: bytes 17 which is the byte count to select – i’d expect this to be a smaller value (2, 4 or 8).

Yes, offset_parameter_length is 17. why @Jeff_Lucovsky you expect that offset_parameter_length would be smaller value? Look at screenshots, where i explained offset_parameter_length and result_extract.

Or download pcap from github ICS-pcap/S7/4-S7comm-Download-DB1-with-password-request at master · automayt/ICS-pcap · GitHub Open pcap and move to 49 frame

@Jeff_Lucovsky are you still here?) Do you have any idea?

I’ve added some debugging statements to display the values.

  • offset = 22 and is the result of 17 (variable) + 5 (rvalueresult_extract variable).

  • result_extract = 5

  • offset_parameter_length = 17

  • offset_math = 7

and…… do you have idea?