The byte_extract Keyword

You can use the byte_extract keyword to read a specified number of bytes from a packet into a variable. You can then use the variable later in the same rule as the value for specific arguments in certain other detection keywords.

This is useful, for example, for extracting data size from packets where a specific segment of bytes describes the number of bytes included in data within the packet. For example, a specific segment of bytes might say that subsequent data is comprised of four bytes; you can extract the data size of four bytes to use as your variable value.

You can use byte_extract to create up to two separate variables in a rule concurrently. You can redefine a byte_extract variable any number of times; entering a new byte_extract keyword with the same variable name and a different variable definition overwrites the previous definition of that variable.

The following table describes the arguments required by the byte_extract keyword.

Required byte_extract Arguments

Argument

Description

Bytes to Extract

The number of bytes to pick up from the packet.

If you specify a number of bytes other than 1, 2, or 4, you must specify a Number Type (hexadecimal, octal, or decimal.)

Offset

The number of bytes into the payload to begin extracting data. You can specify -65535 to 65535 bytes. The offset counter starts at byte 0, so calculate the offset value by subtracting 1 from the number of bytes you want to count forward. For example, specify 7 to count forward 8 bytes. The rules engine counts forward from the beginning of the packet payload or, if you also specify Relative, after the last successful content match. Note that you can specify negative numbers only when you also specify Relative.

You can use an existing byte_math result to specify the value for this argument.

Variable Name

The variable name to use in arguments for other detection keywords. You can specify an alphanumeric string that must begin with a letter.

To further define how the system locates the data to extract, you can use the arguments described in the following table.

Additional Optional byte_extract Arguments

Argument

Description

Multiplier

A multiplier for the value extracted from the packet. You can specify 0 to 65535. If you do not specify a multiplier, the default value is 1.

Align

Rounds the extracted value to the nearest 2-byte or 4-byte boundary. When you also select Multiplier, the system applies the multiplier before the alignment.

Relative

Makes Offset relative to the end of the last successful content match instead of the beginning of the payload.

Bitmask

Applies the specified hexadecimal bitmask using the AND operator to the bytes extracted from the Bytes to Extract argument.

A bitmask can be 1 to 4 bytes.

The result will be right-shifted by the number of bits equal to the number of trailing zeros in the mask.

You can specify only one of DCE/RPC, Endian, or Number Type.

To define how the byte_extract keyword calculates the bytes it tests, you can choose from the arguments in the following table. If you do not select a byte-ordering argument, the rules engine uses big endian byte order.

Byte-Ordering byte_extract Arguments

Argument

Description

Big Endian

Processes data in big endian byte order, which is the default network byte order.

Little Endian

Processes data in little endian byte order.

DCE/RPC

Specifies a byte_extract keyword for traffic processed by the DCE/RPC preprocessor.

The DCE/RPC preprocessor determines big endian or little endian byte order, and the Number Type and Endian arguments do not apply.

When you enable this argument, you can also use byte_extract in conjunction with other specific DCE/RPC keywords.

You can specify a number type to read data as an ASCII string. To define how the system views string data in a packet, you can select one of the arguments in the following table.

Number Type byte_extract arguments

Argument

Description

Hexadecimal String

Reads extracted string data in hexadecimal format.

Decimal String

Reads extracted string data in decimal format.

Octal String

Reads extracted string data in octal format.

For example, if the value for byte_extract is specified as the following:

  • Bytes to Extract = 4

  • Variable Name = var

  • Offset = 8

  • Relative = enabled

the rules engine reads the number described in the four bytes that appear 9 bytes away from (relative to) the last successful content match into a variable named var, which you can specify later in the rule as the value for certain keyword arguments.

The following table lists the keyword arguments where you can specify a variable defined in the byte_extract keyword.

Arguments Accepting a byte_extract Variable

Keyword

Argument

content

Depth, Offset, Distance, Within

byte_jump

Offset

byte_test

Offset, Value

byte_math

RValue, Offset

isdataat

Offset