I have a question regarding byte_test

trymp · September 5, 2025, 1:08am

packet data(hex):01 02 03 04 05 06 07 aa ff 0a

alert udp any any -> any any (msg:"sig01"; sid:20; rev:3; byte_test:1,=,0x0a,9, bitmask 0x0a;)
alert udp any any -> any any (msg:"sig01"; sid:20; rev:3; byte_test:1,=,0x0a,9, bitmask 0x0f;)

The first rule isn’t detected, but the second is. I don’t know why.
I’d appreciate any advice.

Jeff_Lucovsky · September 5, 2025, 1:46pm

The bitmask value causes 2 things

The value is bitwise-anded with the value being tested
After this, the value is right-shifted by the number of trailing zeros in the mask.

Your 2 rules use a bitmask

0xa –> 1010
0xf –> 1111

0xa causes the values to be first be bitwase anded (clearing the first and 3rd bits) and then right-shifted by 1

trymp · September 11, 2025, 2:13am

why right shifed 1bit??

I dont understand how it works

Jeff_Lucovsky · September 13, 2025, 1:18pm

The bitmask semantics derived from Snort’s behavior. We are consistent with that.

I noticed we didn’t document it for byte_test – we will correct that in the near future.

In the meantime, here’s what the documentation should’ve said for bitmask

The AND operator will be applied to the extracted value The result will be right shifted by the number of bits equal to the number of trailing zeros in the mask