Measure/compare byte count between two positions

I know this gets a bit into rule writing, but I was curious what native options were available within the Suricata rule engine, or if this would be better tasked for Lua scripting.

What I’m looking to do is get the count (in bytes) of the difference between a byte offset or initial match and a second/end of match. Ex. [Start]<------ byte count ------>[End] I would then like to compare that count to a defined number (ex. $byte_count > 100), and alert if greater than that count. This would function similar to dsize, but for certain data within the payload, not necessarily the entire payload.

If anyone has any thoughts/feedback, or if you’ve done this and could offer some advice, that would be great.


I guess it depends where $byte_count comes from? If its hardcoded you can do something like
pcre:"abc.{100}xyz"; or
content:"abc"; content:"xyz"; distance:100;

byte_extract can also be used if you want to take the value of $byte_count from the traffic somehow. For example this ET rule uses this (check rec_name):

alert dns $EXTERNAL_NET any -> any any \
  (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; \
  content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; \
  content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; \
  content:"|00 10 00 00|"; distance:0; endswith; \
  reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:1; \
  metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_26;)

Thanks, Victor. I would have a hardcoded value in the rule, and would like to alert when $byte_count is less than or greater to that hardcoded value. Since $byte_count could be different in every packet, it would need to be determined dynamically and compared against the hardcoded value.

Sounds like you maybe could flip your logic.

alert ip any any -> any any (msg:"test"; content:"start pattern"; content:"end pattern"; within:[hardcoded value - 1]; sid:1;)
alert ip any any -> any any (msg:"test2"; content:"start pattern"; content:"end pattern"; distance:[hardcoded value +1]; sid:2;)

My understanding is that the distance between the byte patterns can change, but the value you want to compare it against is constant. If that is the case then I think the method above should work.