I need help writing a rule for the Request Path section. The section changes from packet to packet (the number of segments in it changes, and therefore the number of bytes per section also changes). In this section, you need to find a sequence of bytes. Since the length in bytes changes, I take the value from the Request Path Size and multiply it by 2, saving it to a variable. Next, I use this variable for depth. The specified section is immediately followed by a data section, which may contain the desired sequence, but this is a false positive.
Here’s what I’ve come up with so far.
alert tcp any any -> any 44818 (msg:"Alert PLC Allen Bradley"; byte_math:bytes 1, offset:46,oper *,rvalue 2, result var, string dec; content:"|20 6b|"; offset:47; depth:var; sid:10001; rev:1;)
On paper, everything works, but the meerkat gives errors (parser error, ret -1…), swears at byte_math and specifically at the “*” operator. What should I do?
Here is a photo of two dumps on which the rule was written. 1 - should be detected, 2 - should not be detected (sequence “20 6b” in the data section)
The multiplication operator is not yet supported (see issue link below). There’s a second issue with your rule – change offset:46,oper to offset 46,oper (remove the :)
This is wonderful. Then I want to do through byte_extract, byte_math.
alert tcp any any -> any 44818 (msg:"Alert PLC Allen Bradley"; byte_extract:1,46,len,string,dec; byte_math:bytes 1,offset 47,oper +,rvalue len,result var,string dec; content:"|20 6b|"; offset:47; depth:var; sid:10001; rev:1;)
In the first option, I get the value of the Request Path Size byte and write it to “len”. With the second option, I take the same byte and add “len” to it, writing the result to “var”. Next I use depth:var. This does not cause errors, but it does not detect the package I need (1 dump). Why?
The main goal of the rule is to detect packets with the “20 6b” sequence, which is located in the Request Path section.
Since the length of the Request Path block always changes, I want to use the Request Path Size static field value, which specifies the size of the Request Path section.
With the byte_extract option, we take the value of the Request Path Size field into the variable “len” (decimal).
In the byte_math option, we again take the value of the Request Path Size field and add it to “len”. We write all this into the variable “var” (decimal number). This is done instead of multiplication, which is not supported in my version of Suricata.
Next, we use “var” in the “depth” option to specify the depth to search for the “content” and “offset” options.
Since I can’t look at intermediate variable values anywhere, I don’t know what exactly is misbehaving. The final “depth” does not work out correctly because the packets are not found.
Hi Ian,
Is the offset value of 46 correct? Many times byte_extract is used with content – content is used to set the position for byte_extract — use relative if you have content precede byte_extract
Your rule uses 46 (decimal) for the offset but the bytes 20 6b are at offset 0x6c
