Project

General

Profile

Actions

Bug #1254

closed

sig parsing crash on malformed rev keyword

Added by Victor Julien about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This sig leads to a segv:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Potential CnC Response DONE"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Length|3A| 4|0D 0A|"; http_header; file_data; content:"DONE"; within:4; classtype:trojan-activity; sid:1769992; rev;1;)

Note: rev;1;, should be rev:1;

Actions #1

Updated by Andreas Moe about 10 years ago

I checked this error and it seems to happen with every keyword. Putting ";" instead of ":" after a keyword (tested with msg, content, dsize, sid and rev) results in a segmentation fault.

msg with ";":

Suricata-Main[30738]: segfault at 0 ip 0000000000499df5 sp 00007fff66b24760 error 4 in suricata[400000+1b1000]

sid with ";"

Suricata-Main[30748]: segfault at 0 ip 00000000004a7b16 sp 00007fffe52836c0 error 4 in suricata[400000+1b1000]

rev with ";"

Suricata-Main[30751]: segfault at 0 ip 00000000004a6116 sp 00007fff302016a0 error 4 in suricata[400000+1b1000]

dsize with ";"

Suricata-Main[30741]: segfault at 0 ip 00007f46a21db85f sp 00007fff7bc8a958 error 4 in libc-2.12.so[7f46a20a8000+18b000]

content with ";"

Suricata-Main[30744]: segfault at 0 ip 00007fa5cc19f85f sp 00007fff0308a638 error 4 in libc-2.12.so[7fa5cc06c000+18b000]

Actions #2

Updated by Victor Julien about 10 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #3

Updated by Victor Julien about 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF