From 7dc4bf740aa2eac8347cfb5223a62e9707fad3e2 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 30 Mar 2023 09:48:47 -0400 Subject: [PATCH] doc/byte_math: Add divide by 0 discussion. Issue: 5945 (cherry picked from commit fd46c93a8f0f35375d349cf9402c2614dedff72b) --- doc/userguide/rules/differences-from-snort.rst | 6 ++++++ doc/userguide/rules/payload-keywords.rst | 2 ++ 2 files changed, 8 insertions(+) diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst index 1457f2c2ff..ff24a7e1af 100644 --- a/doc/userguide/rules/differences-from-snort.rst +++ b/doc/userguide/rules/differences-from-snort.rst @@ -263,6 +263,12 @@ See :doc:`http-keywords` for all HTTP keywords. use ``byte_extract`` and ``byte_test`` to verify that they work as expected. +``byte_math`` Keyword +--------------------- + +- Suricata will never match if there's a zero divisor. Division by 0 is undefined. + + ``isdataat`` Keyword -------------------- diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 1a41ef9767..f4779901ba 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -379,6 +379,8 @@ an existing variable or a specified value. When ``relative`` is included, there must be a previous ``content`` or ``pcre`` match. +Note: if ``oper`` is ``/`` and the divisor is 0, there will never be a match on the ``byte_math`` keyword. + The result can be stored in a result variable and referenced by other rule options later in the rule. -- 2.47.2