use ``byte_extract`` and ``byte_test`` to verify that they
work as expected.
+
+``byte_jump`` Keyword
+---------------------
+
+- Suricata allows a variable name from ``byte_extract`` or
+ ``byte_math`` to be specified for the ``nbytes`` value. The
+ value of ``nbytes`` must adhere to the same constraints
+ as if it were supplied directly in the rule.
+
+
``byte_math`` Keyword
---------------------
uint32 value. Snort rejects ``rvalue`` values of ``0`` and requires
values to be between ``[1..max-uint32 value]``.
-- Suricata will never match if there's a zero divisor. Division by 0 is undefined.
+- Suricata will never match if there's a zero divisor. Division by 0 is undefined.
``byte_test`` Keyword
---------------------
Format::
- byte_jump:<num of bytes>, <offset> [, relative][, multiplier <mult_value>] \
+ byte_jump:<num of bytes> | <variable-name>, <offset> [, relative][, multiplier <mult_value>] \
[, <endian>][, string, <num_type>][, align][, from_beginning][, from_end] \
[, post_offset <value>][, dce][, bitmask <value>];
+-----------------------+-----------------------------------------------------------------------+
| <num of bytes> | The number of bytes selected from the packet to be converted |
+| | or the name of a byte_extract/byte_math variable. |
+-----------------------+-----------------------------------------------------------------------+
| <offset> | Number of bytes into the payload |
+-----------------------+-----------------------------------------------------------------------+
projects / thirdparty / suricata.git / commitdiff
