|
|
|
|
@ -371,7 +371,7 @@ Format::
|
|
|
|
|
| | - dec - Converted string represented in decimal |
|
|
|
|
|
| | - oct - Converted string represented in octal |
|
|
|
|
|
+----------------+------------------------------------------------------------------------------+
|
|
|
|
|
| [dce] | Allow the DCE module determine the byte order |
|
|
|
|
|
| [dce] | Allow the DCE module to determine the byte order |
|
|
|
|
|
+----------------+------------------------------------------------------------------------------+
|
|
|
|
|
| [bitmask] | Applies the AND operator on the bytes converted |
|
|
|
|
|
+----------------+------------------------------------------------------------------------------+
|
|
|
|
|
@ -414,6 +414,7 @@ When ``relative`` is included, there must be a previous ``content`` or ``pcre``
|
|
|
|
|
The result can be stored in a result variable and referenced by
|
|
|
|
|
other rule options later in the rule.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
============== ==================================
|
|
|
|
|
Keyword Modifier
|
|
|
|
|
============== ==================================
|
|
|
|
|
@ -429,6 +430,7 @@ Format::
|
|
|
|
|
result <result_var> [, relative] [, endian <endian>] [, string <number-type>] \
|
|
|
|
|
[, dce] [, bitmask <value>];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| <num of bytes> | The number of bytes selected from the packet |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
@ -444,19 +446,21 @@ Format::
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| [endian <type>] | - big (Most significant byte at lowest address) |
|
|
|
|
|
| | - little (Most significant byte at the highest address) |
|
|
|
|
|
| | - dce (Allow the DCE module to determine the byte order) |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| [string <num_type>] | |
|
|
|
|
|
| | - hex Converted data is represented in hex |
|
|
|
|
|
| | - dec Converted data is represented in decimal |
|
|
|
|
|
| | - oct Converted data is represented as octal |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| [dce] | Allow the DCE module determine the byte order |
|
|
|
|
|
| [dce] | Allow the DCE module to determine the byte order |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| [bitmask] <value> | The AND operator will be applied to the extracted value |
|
|
|
|
|
| | The result will be right shifted by the number of bits equal to the |
|
|
|
|
|
| | number of trailing zeros in the mask |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert tcp any any -> any any \
|
|
|
|
|
@ -484,6 +488,8 @@ Format::
|
|
|
|
|
[, <endian>][, string, <num_type>][, align][, from_beginning][, from_end] \
|
|
|
|
|
[, post_offset <value>][, dce][, bitmask <value>];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| <num of bytes> | The number of bytes selected from the packet to be converted |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
@ -512,12 +518,13 @@ Format::
|
|
|
|
|
| [post_offset] <value> | After the jump operation has been performed, it will |
|
|
|
|
|
| | jump an additional number of bytes specified by <value> |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| [dce] | Allow the DCE module determine the byte order |
|
|
|
|
|
| [dce] | Allow the DCE module to determine the byte order |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
| [bitmask] <value> | The AND operator will be applied by <value> and the |
|
|
|
|
|
| | converted bytes, then jump operation is performed |
|
|
|
|
|
+-----------------------+-----------------------------------------------------------------------+
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
alert tcp any any -> any any \
|
|
|
|
|
@ -565,10 +572,10 @@ Format::
|
|
|
|
|
| | - dec - Converted string represented in decimal |
|
|
|
|
|
| | - oct - Converted string represented in octal |
|
|
|
|
|
+--------------------+--------------------------------------------------------------------------+
|
|
|
|
|
| [dce] | Allow the DCE module determine the byte order |
|
|
|
|
|
| [dce] | Allow the DCE module to determine the byte order |
|
|
|
|
|
+--------------------+--------------------------------------------------------------------------+
|
|
|
|
|
| align <align-value>| Round the extracted value up to the next |
|
|
|
|
|
| | next <align-value> byte boundary post-multiplication (if any) |
|
|
|
|
|
| | <align-value> byte boundary post-multiplication (if any) |
|
|
|
|
|
| | ; <align-value> may be 2 or 4 |
|
|
|
|
|
+--------------------+--------------------------------------------------------------------------+
|
|
|
|
|
|
|
|
|
|
|
Jeff Lucovsky
3 years ago
committed by
Victor Julien