byte_jump

The byte_jump rule option reads some number of bytes from the packet, converts them from their numeric representation if necessary, and moves that many bytes forward. By having an option that reads the length of a portion of data, rules can be written that skip over specific portions of length-encoded protocols and perform detection in very specific locations.

byte_jump is declared with the keyword, followed by a colon character, followed by just two required arguments separated by commas: (1) the number of bytes to grab from the packet and (2) the offset of the bytes to grab. These two arguments must be specified in this order, and there are also a few optional arguments that can be declared afterwards, which are also separated by commas. They are listed and described below.

Format:

byte_jump:count, offset[, relative][, multiplier multiplier][,endian] \
          [, string[, {dec|hex|oct}]][, align][, from_beginning][, from_end] \
          [, post_offset adjustment_value][, dce][, bitmask bitmask];
Argument
Description
countNumber of bytes to pick up from the buffer (valid values include 0:10 if string argument is used and 0:4 if string argument is not used)
offsetVariable name or number of bytes into the buffer to start processing (valid values include -65535:65535)
relativeOffset from cursor instead of start of buffer
multiplier multiplierMultiply the grabbed value by the given amount (valid values include 1:65535)
endianSet to either big or little to specify whether to process the data as little-endian or big-endian (extracted data is processed as big-endian by default)
alignRound the number of converted bytes up to the next 32-bit boundary
dceUse the DCE/RPC 2 inspector engine to determine the byte endianness
stringPick up bytes from the packet that are stored in string format
hexGrab the string bytes in the packet from a hexadecimal string (must be accompanied by string)
octGrab the string bytes in the packet from an octal string (must be accompanied by string)
decGrab the string bytes in the packet from a decimal string (the default option when string is set)
from_beginningJump from the beginning of the packet payload instead of the current cursor location
from_endJump from the end of the packet payload instead of the current cursor location
post_offset adjustment_valueNumber of bytes to skip forward or backward after the jump (valid values include a variable name or an integer in the following range: -65535:65535 )
bitmask bitmaskPerform an AND bitwise operation with the specified bitmask on the grabbed value before jumping (valid values are 0x01:0xFFFFFFFF)

Note: The bitmask argument result will be right-shifted by the number of bits equal to the number of trailing zeros in the mask.

Examples:

# grab the 2 bytes at offset 0 and
# jump that many bytes forward
byte_jump:2,0;
content:"START";
byte_extract:1, 0, myvar, relative;
# grab a single byte 3 bytes after the previous 
# byte_extract location, jump forward that number
# of bytes, and then adjust forward "myvar"
# number of bytes after the jump
byte_jump:1,3,relative,post_offset myvar;
content:"END", distance 6, within 3;
# grab 2 bytes at offset 1 from the current cursor location,
# bitmask AND the grabbed bytes by 0x03f0, jump the 
# resulting number of bytes, and then adjust forward
# 2 number of bytes after the jump
byte_jump:2,1,relative,post_offset 2,bitmask 0x03f0;
byte_test:2,=,968,0,relative;
# this grabs 0 bytes so that it can
# jump backwards 6 bytes from the end of the
# current payload
byte_jump:0,0,from_end,post_offset -6;
content:"end..", distance 0, within 5;