Writing a signature for multiple conditions


I’m trying to work out if this is possible to write a rule that inspects traffic that is not deterministic.

So say there’s a protocol with multiple TLV (type length value) fields, we’d look at type - make sure that it’s known good, length can then be checked and then allows us to move onto the new TLV header. I think can make this work using byte_extract and byte_jump, if there’s a fixed number of TLV fields, but not if that number isn’t fixed.

Would anyone know if this is possible please?

Hi. What is the purpose of the rule(s) you want to create? In what situation should the rule send an alert?
Sounds to me like you want to validate the protocol format and alert if there are packets not following the format.

I would recommend looking into either lua scripting 6.38. Lua Scripting for Detection — Suricata 7.0.0-dev documentation or writing a protocol parsers for suricata. With a protocol parser you can alert on app-layer-protocol 6.32. Generic App Layer Keywords — Suricata 7.0.0-dev documentation


Thanks for the reply - much appreciated.

I want to validate that a protocol is conforming to the RFC. So only send an alert if it doesn’t confrom.

So say today if someone sent a protocol that Suricata inspects (say TLS), and say sent a certifciate with a length of some crazy high value, but then cut the packet short. Is that something that Suricata would pickup, without a custom signature ?


I’ll look into Lua,

I believe the fields defined in this enum can be used by the app-layer-event: keyword.

Doing something similar for your protocol would probably be the most elegant solution, but it requires knowledge about programming in C or Rust.
Validation in the rule language using Lua or byte_test and byte_jump might be doable, but you are using a tool intended for another job, so the ergonomics could probably be better.