I need help writing a rule for the Request Path section. The section changes from packet to packet (the number of segments in it changes, and therefore the number of bytes per section also changes). In this section, you need to find a sequence of bytes. Since the length in bytes changes, I take the value from the Request Path Size and multiply it by 2, saving it to a variable. Next, I use this variable for depth. The specified section is immediately followed by a data section, which may contain the desired sequence, but this is a false positive.
Here’s what I’ve come up with so far.
alert tcp any any -> any 44818 (msg:"Alert PLC Allen Bradley"; byte_math:bytes 1, offset:46,oper *,rvalue 2, result var, string dec; content:"|20 6b|"; offset:47; depth:var; sid:10001; rev:1;)
On paper, everything works, but the meerkat gives errors (parser error, ret -1…), swears at byte_math and specifically at the “*” operator. What should I do?
Here is a photo of two dumps on which the rule was written. 1 - should be detected, 2 - should not be detected (sequence “20 6b” in the data section)
This is wonderful. Then I want to do through byte_extract, byte_math.
alert tcp any any -> any 44818 (msg:"Alert PLC Allen Bradley"; byte_extract:1,46,len,string,dec; byte_math:bytes 1,offset 47,oper +,rvalue len,result var,string dec; content:"|20 6b|"; offset:47; depth:var; sid:10001; rev:1;)
In the first option, I get the value of the Request Path Size byte and write it to “len”. With the second option, I take the same byte and add “len” to it, writing the result to “var”. Next I use depth:var. This does not cause errors, but it does not detect the package I need (1 dump). Why?
The main goal of the rule is to detect packets with the “20 6b” sequence, which is located in the Request Path section.
Since the length of the Request Path block always changes, I want to use the Request Path Size static field value, which specifies the size of the Request Path section.
With the byte_extract option, we take the value of the Request Path Size field into the variable “len” (decimal).
In the byte_math option, we again take the value of the Request Path Size field and add it to “len”. We write all this into the variable “var” (decimal number). This is done instead of multiplication, which is not supported in my version of Suricata.
Next, we use “var” in the “depth” option to specify the depth to search for the “content” and “offset” options.