transform/subslice: Add subslice transform#14835
Open
transform/subslice: Add subslice transform#14835
Conversation
Issue: 7672
The subslice transform creates a slice of the input buffer.
Specify the subslice desired -- nbytes and truncate are optional:
subslice: offset <,nbytes> <,truncate>
offset: Specifies the starting offset for the new subslice. When
negative, expresses how far from the end of the input buffer to begin.
When nbytes is *not* specified, start must be > 0.
nbytes: Specifies the size of the subslice. When negative, specifies the
byte count preceding the offset to include. Nbytes must be > 0.
When nbytes is not specified, the size of the subslice will be the size
of the input buffer - offset.
truncate: Specify behavior when offset + nbytes exceeds buffer length.
When present, trims nbytes such that offset + nbytes equals buffer
length. When not present, an empty buffer is produced.
Examples:
subslice: 1; - The subslice will be a copy of the input
buffer but omits the input buffer's first byte
"This is Suricata" -> "his is Suricata"
subslice: 0, 13; - The slice is created from the first 13 bytes
of the input buffer
"This is Suricata" -> "This is Suric"
subslice: 10, -5; - The subslice is created starting at offset 10
and continues to 5 bytes before the end of the input buffer
"This is Suricata" -> "r"
subslice: -3; - The subslice will be the last 3 bytes of the
input buffer.
"This is Suricata" -> "ata"
Add documentation for the subslice transform. Issue: 7672
jlucovsky
requested review from
jasonish,
jufajardini and
victorjulien
as code owners
|
Information: QA ran without warnings. Pipeline = 29777 |
catenacyber
requested changes
Mar 4, 2026
Contributor
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Thanks for the work,
CI : ✅
Code : commenting
Commits segmentation : cool, I would squash :-p
Commit messages : As already said in the previous version 🟡 looks like it does not match anymore the behavior like When nbytes is not specified, start must be > 0.
Git ID set : looks fine for me
CLA : you already contributed
Doc update : cool
Redmine ticket : ok
Rustfmt : nit
diff --git a/rust/src/detect/transforms/mod.rs b/rust/src/detect/transforms/mod.rs
index da42ecf38e..b20246d484 100644
--- a/rust/src/detect/transforms/mod.rs
+++ b/rust/src/detect/transforms/mod.rs
@@ -26,6 +26,6 @@ pub mod dotprefix;
pub mod hash;
pub mod http_headers;
pub mod strip_whitespace;
+pub mod subslice;
pub mod urldecode;
pub mod xor;
-pub mod subslice;Tests : cool
Dependencies added: none
catenacyber
reviewed
Mar 4, 2026
| The length of the input buffer is ``17`` bytes; ``5`` bytes from the end | ||
| is ``12``:: | ||
|
|
||
| subslice: 10, -5; |
catenacyber
reviewed
Mar 4, 2026
| zlib_deflate; content:"This is compressed then base64-encoded"; startswith; endswith; | ||
| sid:2; rev:1;) | ||
|
|
||
| subslice |
Contributor
There was a problem hiding this comment.
@jufajardini could you take a second look at the docs ?
catenacyber
reviewed
Mar 4, 2026
| // offset, nbytes | ||
| let nbytes = second.parse::<isize>().ok()?; | ||
| if nbytes == 0 { | ||
| return None; |
Contributor
There was a problem hiding this comment.
Could we log a user-friendly error that nbytes=0 is not accepted
catenacyber
reviewed
Mar 4, 2026
| let nbytes = second.parse::<isize>().ok()?; | ||
|
|
||
| if !third.eq_ignore_ascii_case("truncate") { | ||
| return None; |
Contributor
There was a problem hiding this comment.
Same : would we log friendly errors before returning None ?
catenacyber
reviewed
Mar 4, 2026
| } | ||
| }; | ||
|
|
||
| // Normalize if indices reversed |
Contributor
There was a problem hiding this comment.
How can indices get reversed ?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Continuation of #14824
The subslice transform creates a slice of the input buffer.
Examples:
subslice: 1; - The subslice will be a copy of the input
buffer but omit the input buffer's first byte
"This is Suricata" -> "his is Suricata"
subslice: 0, 13; - The slice is created from the first 13 bytes
of the input buffer
"This is Suricata" -> "This is Suric"
subslice: 10, -5; - This is the same as subslice[5, 5]
"This is Suricata" -> "is Su"
subslice: -3; - The subslice will be the last 3 bytes of the
input buffer.
"This is Suricata" -> "ata"
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7672
Describe changes:
Updates:
[3],[3, 8]`DetectTransformSubsliceDatato be attributed withrepr(C)nbytevalues to mean "bytes from the end" .start=0is an error unlessnbytesis specifiedend=0is always an error.subslice.truncateto control behavior whenoffset + nbytes > lengthtruncateoption.truncateoption to negative offsets/byte count exceeding buffer length.Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2749
SU_REPO=
SU_BRANCH=