Sticky buffer to match on the whole UDP header. Example rule: alert udp any any -> any any (udp.hdr; content:”|00 08|”; offset:4; depth:2; sid:1234; rev:5;)
This above is only information given in Suricata documentation. I am using pyshark to analyzed each packet and get information from packet related to signature of UDP will only header and its content in this case according to documentation.
How can i get this content:|00 08| information from each UDP packet? I am using in python script to automatically generate rules for each UDP packet.
If i see the bytes of in pcap which does not have any udp.header information( its has source port, destionation port, checkum and legnth, payloads etc) packet.udp.hdr does not provide any information packet.udp.srcport provude port port, destionation port, checkum and legnth, payloads can be fected individually but how complete header information to be feched header which is 8 byte (port, destionation port, checkum and legnth) 2byte for each. packet.udp print whole udp layer information
The UDP header consists of 4 fields, each of which is 2 bytes:
As the Suricata documentation you refer to explains, the |00 08| in the rule refers to the UDP packet length. The 'offset' keyword is there to indicate that, from the start of the packet, Suricata should skip 4 bytes (since the first 4 are the source and destination ports). The 'depth' tells Suricata how many bytes to check for that info. Since we know the length is only 2 bytes, that's what the rule says.
This rule tells Suricata to alert on any UDP packets that have a length of 8 bytes, that is, packets that have no payload.
You mention that the pcap has no udp.hdr, but you do mention the fields that make the UDP header. So, if you want to write a rule to match a certain UDP content that you can find within the UDP headers that you are seeing, indicate the content you're looking for, and work with the offset and depth based on the field you want to match on. For instance:
For examples of UDP rules that don't necessarily use the header, or that check for anomalous UDP packets, I recommend checking the existing Suricata Verify tests that have UDP rules, or the rule sets provided by Suricata and ET Open (those two should be made available via Suricata-update, which comes with Suricata, when you install it from packages).
Suricata documentation: https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#udp-hdr Basics of UDP datagram structure: https://en.wikipedia.org/wiki/User_Datagram_Protocol Suricata-Verify repository: https://github.com/OISF/suricata-verify/