byte_extract
The byte_extract keyword is used to read a some number of bytes from packet data and store the extracted byte or bytes into a named variable. This option does nothing by itself, and the extracted value should be used with other options later in the rule. The named variable can be used as arguments to any of the following options:
distance,within,offset, ordepthmodifiersbyte_testbyte_jumpisdataat
byte_extract is declared with the keyword, followed by a colon character, followed by three required arguments separated by commas: (1) number of bytes to extract, (2) the offset of the bytes to extract, and (3) the name of variable that will receive the extracted value. These three arguments MUST be specified in this exact order.
There are also a few additional optional arguments that can be added after the three required arguments, which are also separated by commas, and they are listed and described below in the formatting section.
Note: The
byte_extractoption moves the detection cursor forward the number of bytes extracted.
Format:
byte_extract:count, offset, name[, relative][, multiplier multiplier] \
[, endian][, string[, {dec|hex|oct}]][, align align][, dce] \
[, bitmask bitmask];Argument | Description |
|---|---|
count | Number of bytes to pick up from the buffer (valid values include 1:10 if string argument is used and 1:4 if string argument is not used) |
offset | Number of bytes into the buffer to start processing (valid values include -65535:65535) |
name | Name of the variable to be used in other rule options |
relative | Offset from cursor instead of start of buffer |
multiplier multiplier | Multiply the extracted value by the specified amount (valid values include 1:65535) |
align align | Round the number of converted bytes up to the next 2- or 4-byte boundary (valid values may be 2 or 4) |
endian | Set to either big or little to specify whether to process the data as little-endian or big-endian (extracted data is processed as big-endian by default) |
dce | Use the DCE/RPC 2 inspector engine to determine the byte endianness |
string | Extract bytes from packet that are stored in string format |
hex | Convert the string bytes in the packet from a hexadecimal string (must be accompanied by string) |
oct | Convert the string bytes in the packet from an octal string (must be accompanied by string) |
dec | Convert the string bytes in the packet from a decimal string (the default option when string is set) |
bitmask bitmask | Perform an AND bitwise operation with the specified bitmask on the extracted value before storing it in name (valid values are 1:count) |
Examples:
byte_extract:1, 0, str_offset;
byte_extract:1, 1, str_depth;
content:"bad stuff", offset str_offset, depth str_depth;
# multiplies the extracted byte by 8 and stores the result in "multiplier_ex1"
byte_extract:1, 0, multiplier_ex1, multiplier 8;
content:"AAAAA", within multiplier_ex1;
content:"MAGIC";
# extracts 4 bytes after "MAGIC", processes those bytes as little-endian,
# and stores the value in "field_sz"
byte_extract:4, 0, field_sz, relative, little;
content:"next field", distance field_sz;
http_header;
content:"Content-Length: ";
# extracts 4 bytes represented as a decimal string
# from the packet immediately after "Content-Length: "
byte_extract:4, 0, content_len, relative, string;
isdataat:!content_len;
# extracts 4 bytes represented as a hexadecimal string
# from the beginning of the packet
byte_extract:4, 0, hex_string_var, string, hex;
content:"BBBBB", distance hex_string_var;