byte_jump
The byte_jump rule option reads some number of bytes from the packet, converts them from their numeric representation if necessary, and moves that many bytes forward. By having an option that reads the length of a portion of data, rules can be written that skip over specific portions of length-encoded protocols and perform detection in very specific locations.
byte_jump is declared with the keyword, followed by a colon character, followed by just two required arguments separated by commas: (1) the number of bytes to grab from the packet and (2) the offset of the bytes to grab. These two arguments must be specified in this order, and there are also a few optional arguments that can be declared afterwards, which are also separated by commas. They are listed and described below.
Format:
byte_jump:count, offset[, relative][, multiplier multiplier][,endian] \
[, string[, {dec|hex|oct}]][, align][, from_beginning][, from_end] \
[, post_offset adjustment_value][, dce][, bitmask bitmask];
Argument | Description |
|---|---|
count | Number of bytes to pick up from the buffer (valid values include 0:10 if string argument is used and 0:4 if string argument is not used) |
offset | Variable name or number of bytes into the buffer to start processing (valid values include -65535:65535) |
relative | Offset from cursor instead of start of buffer |
multiplier multiplier | Multiply the grabbed value by the given amount (valid values include 1:65535) |
endian | Set to either big or little to specify whether to process the data as little-endian or big-endian (extracted data is processed as big-endian by default) |
align | Round the number of converted bytes up to the next 32-bit boundary |
dce | Use the DCE/RPC 2 inspector engine to determine the byte endianness |
string | Pick up bytes from the packet that are stored in string format |
hex | Grab the string bytes in the packet from a hexadecimal string (must be accompanied by string) |
oct | Grab the string bytes in the packet from an octal string (must be accompanied by string) |
dec | Grab the string bytes in the packet from a decimal string (the default option when string is set) |
from_beginning | Jump from the beginning of the packet payload instead of the current cursor location |
from_end | Jump from the end of the packet payload instead of the current cursor location |
post_offset adjustment_value | Number of bytes to skip forward or backward after the jump (valid values include a variable name or an integer in the following range: -65535:65535 ) |
bitmask bitmask | Perform an AND bitwise operation with the specified bitmask on the grabbed value before jumping (valid values are 0x01:0xFFFFFFFF) |
Note: The
bitmaskargument result will be right-shifted by the number of bits equal to the number of trailing zeros in the mask.
Examples:
# grab the 2 bytes at offset 0 and
# jump that many bytes forward
byte_jump:2,0;
content:"START";
byte_extract:1, 0, myvar, relative;
# grab a single byte 3 bytes after the previous
# byte_extract location, jump forward that number
# of bytes, and then adjust forward "myvar"
# number of bytes after the jump
byte_jump:1,3,relative,post_offset myvar;
content:"END", distance 6, within 3;
# grab 2 bytes at offset 1 from the current cursor location,
# bitmask AND the grabbed bytes by 0x03f0, jump the
# resulting number of bytes, and then adjust forward
# 2 number of bytes after the jump
byte_jump:2,1,relative,post_offset 2,bitmask 0x03f0;
byte_test:2,=,968,0,relative;
# this grabs 0 bytes so that it can
# jump backwards 6 bytes from the end of the
# current payload
byte_jump:0,0,from_end,post_offset -6;
content:"end..", distance 0, within 5;