byte_extract

The byte_extract keyword is used to read a some number of bytes from packet data and store the extracted byte or bytes into a named variable. This option does nothing by itself, and the extracted value should be used with other options later in the rule. The named variable can be used as arguments to any of the following options:

  • distance, within, offset, or depth modifiers
  • byte_test
  • byte_jump
  • isdataat

byte_extract is declared with the keyword, followed by a colon character, followed by three required arguments separated by commas: (1) number of bytes to extract, (2) the offset of the bytes to extract, and (3) the name of variable that will receive the extracted value. These three arguments MUST be specified in this exact order.

There are also a few additional optional arguments that can be added after the three required arguments, which are also separated by commas, and they are listed and described below in the formatting section.

Note: The byte_extract option moves the detection cursor forward the number of bytes extracted.

Format:

byte_extract:count, offset, name[, relative][, multiplier multiplier] \
             [, endian][, string[, {dec|hex|oct}]][, align align][, dce] \
             [, bitmask bitmask];
Argument
Description
countNumber of bytes to pick up from the buffer (valid values include 1:10 if string argument is used and 1:4 if string argument is not used)
offsetNumber of bytes into the buffer to start processing (valid values include -65535:65535)
nameName of the variable to be used in other rule options
relativeOffset from cursor instead of start of buffer
multiplier multiplierMultiply the extracted value by the specified amount (valid values include 1:65535)
align alignRound the number of converted bytes up to the next 2- or 4-byte boundary (valid values may be 2 or 4)
endianSet to either big or little to specify whether to process the data as little-endian or big-endian (extracted data is processed as big-endian by default)
dceUse the DCE/RPC 2 inspector engine to determine the byte endianness
stringExtract bytes from packet that are stored in string format
hexConvert the string bytes in the packet from a hexadecimal string (must be accompanied by string)
octConvert the string bytes in the packet from an octal string (must be accompanied by string)
decConvert the string bytes in the packet from a decimal string (the default option when string is set)
bitmask bitmaskPerform an AND bitwise operation with the specified bitmask on the extracted value before storing it in name (valid values are 0x01:0xFFFFFFFF)

Examples:

byte_extract:1, 0, str_offset;
byte_extract:1, 1, str_depth;
content:"bad stuff", offset str_offset, depth str_depth;
# multiplies the extracted byte by 8 and stores the result in "multiplier_ex1"
byte_extract:1, 0, multiplier_ex1, multiplier 8;
content:"AAAAA", within multiplier_ex1;
content:"MAGIC";
# extracts 4 bytes after "MAGIC", processes those bytes as little-endian, 
# and stores the value in "field_sz"
byte_extract:4, 0, field_sz, relative, little;
content:"next field", distance field_sz;
http_header;
content:"Content-Length: ";
# extracts 4 bytes represented as a decimal string 
# from the packet immediately after "Content-Length: " 
byte_extract:4, 0, content_len, relative, string;
isdataat:!content_len;
# extracts 4 bytes represented as a hexadecimal string 
# from the beginning of the packet
byte_extract:4, 0, hex_string_var, string, hex;
content:"BBBBB", distance hex_string_var;