diff -Naurp snort-2.9.0.5.orig/src/detection-plugins/sp_byte_jump.c snort-2.9.0.5/src/detection-plugins/sp_byte_jump.c --- snort-2.9.0.5.orig/src/detection-plugins/sp_byte_jump.c 2011-01-10 22:41:43.000000000 +0000 +++ snort-2.9.0.5/src/detection-plugins/sp_byte_jump.c 2011-04-29 03:20:08.000005000 +0000 @@ -33,6 +33,7 @@ * : number of bytes into the payload to grab the bytes * Optional: * ["relative"]: offset relative to last pattern match + * ["mask"]: bitmask to apply to the converted bytes (bitwise AND) * ["big"]: process data as big endian (default) * ["little"]: process data as little endian * ["string"]: converted bytes represented as a string needing conversion @@ -162,6 +163,10 @@ uint32_t ByteJumpHash(void *d) a += (u_int32_t)data->byte_order_func; #endif + mix(a,b,c); + + a += data->mask; + final(a,b,c); return c; @@ -178,6 +183,7 @@ int ByteJumpCompare(void *l, void *r) if (( left->bytes_to_grab == right->bytes_to_grab) && ( left->offset == right->offset) && ( left->offset_var == right->offset_var) && + ( left->mask == right->mask) && ( left->relative_flag == right->relative_flag) && ( left->data_string_convert_flag == right->data_string_convert_flag) && ( left->from_beginning_flag == right->from_beginning_flag) && @@ -307,11 +313,12 @@ static void ByteJumpInit(char *data, Opt if (add_detection_option(RULE_OPTION_TYPE_BYTE_JUMP, (void *)idx, &idx_dup) == DETECTION_OPTION_EQUAL) { #ifdef DEBUG_RULE_OPTION_TREE - LogMessage("Duplicate ByteJump:\n%d %d %c %c %c %c %c %d %d\n" - "%d %d %c %c %c %c %c %d %d %d\n\n", + LogMessage("Duplicate ByteJump:\n%d %d %c %d %c %c %c %c %d %d\n" + "%d %d %c %d %c %c %c %c %d %d %d\n\n", idx->bytes_to_grab, idx->offset, idx->relative_flag, + idx->mask, idx->data_string_convert_flag, idx->from_beginning_flag, idx->align_flag, @@ -320,6 +327,7 @@ static void ByteJumpInit(char *data, Opt ((ByteJumpData *)idx_dup)->bytes_to_grab, ((ByteJumpData *)idx_dup)->offset, ((ByteJumpData *)idx_dup)->relative_flag, + ((ByteJumpData *)idx_dup)->mask, ((ByteJumpData *)idx_dup)->data_string_convert_flag, ((ByteJumpData *)idx_dup)->from_beginning_flag, ((ByteJumpData *)idx_dup)->align_flag, @@ -423,6 +431,25 @@ static ByteJumpOverrideData * ByteJumpPa /* the offset is relative to the last pattern match */ idx->relative_flag = 1; } + else if(!strncasecmp(cptr, "mask ", 5)) + { + /* Format of this option is mask xx. + * xx is a positive base 10 number. + */ + char *mval = &cptr[5]; + long factor = 0; + int mask_len = strlen(cptr); + if (mask_len > 5) + { + factor = strtol(mval, &endp, 10); + } + if ((factor <= 0) || (endp != cptr + mask_len)) + { + FatalError("%s(%d): invalid length mask \"%s\"\n", + file_name, file_line, cptr); + } + idx->mask = factor; + } else if(!strcasecmp(cptr, "from_beginning")) { idx->from_beginning_flag = 1; @@ -688,6 +715,10 @@ int ByteJump(void *option_data, Packet * "grabbed %d of %d bytes, value = %08X\n", payload_bytes_grabbed, bjd->bytes_to_grab, value);); + /* Adjust the value with the bitmask. */ + if (bjd->mask) + value &= bjd->mask; + /* Adjust the jump_value (# bytes to jump forward) with the multiplier. */ if (bjd->multiplier) jump_value = value * bjd->multiplier; diff -Naurp snort-2.9.0.5.orig/src/detection-plugins/sp_byte_jump.h snort-2.9.0.5/src/detection-plugins/sp_byte_jump.h --- snort-2.9.0.5.orig/src/detection-plugins/sp_byte_jump.h 2011-01-10 22:41:43.000000000 +0000 +++ snort-2.9.0.5/src/detection-plugins/sp_byte_jump.h 2011-04-28 04:09:34.000002000 +0000 @@ -31,6 +31,7 @@ typedef struct _ByteJumpData uint32_t bytes_to_grab; /* number of bytes to compare */ int32_t offset; uint8_t relative_flag; + uint32_t mask; uint8_t data_string_convert_flag; uint8_t from_beginning_flag; uint8_t align_flag;