0

I have written the following rule in my Suricata rules file:

alert tcp any any <> any any (flow:established; content:"|65|"; offset:0; depth:1; byte_test:1, =, 3, 2, bitmask 0x03; msg:"detected"; classtype:bad-unknown; sid:222; rev:1; priority:1;)

But it shows the following error because of the bitmask:

...
[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1, =, 3, 2, bitmask 0x03 
...

I have found some examples in the Suricata documentation but none of them mention the way to properly use bitmask with the comparison operator.

My question is, what is the proper way to use the bitmask keyword? and why is it not working in the rule I have shown?

Khalid
  • 140
  • 6

1 Answers1

1

It is unknown what version you are using, but I will assume that you are not using a beta version. bitmask was only recently implemented in 6.0.0-beta1 and is at the time of this writing not available in a stable version. The option was documented much earlier though, i.e. there was a bug in that it was documented but not actually implemented. For details see Ticket 3283 and the ChangeLog where you should search for "#3283" to find out when it was fixed.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you! I am using version 5.0.3 and will see how to switch to version 6. So the way I was using it is supposed to be syntactically correct? – Khalid Oct 04 '20 at 06:00
  • @Khalid: The way you've used it seems to match [the documentation](https://suricata.readthedocs.io/en/suricata-5.0.0/rules/payload-keywords.html#byte-test). – Steffen Ullrich Oct 04 '20 at 06:06