Bug #2042
closed
Difference protocol of MD5 rule will restart Suricata automatically
Added by Samiux A over 7 years ago.
Updated over 5 years ago.
Description
When using TCP on the following rule, Suricata will restart itself automatically.
reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)
When using HTTP on the same rule, Suricata will not restart itself automatically.
reject http $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)
Affected : Suricata <= 3.2.1
Expect : produce error message
- Assignee set to Anonymous
- Target version set to TBD
I can not reproduce your issue, at least suricata is not restarting itself with the first reject tcp rule. How do you run suricata and what compile options did you use?
I compile Suricata like that :
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-nfqueue --enable-pie --enable-gccprotect --enable-gccprofile \
--enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.1/ \
--with-libluajit-libraries=/usr/local/lib/ \
CFLAGS="-ggdb -O0 -ftrapv -fPIE -Wl,-z,relro,-z,now -g -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-all --param=ssp-buffer-size=4 -Wformat -Werror=format-security" \
SECCFLAGS="-ftrapv -fPIE -Wl,-z,relro,-z,now -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wformat -Wformat-security" \
--with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/
I run Suricata like that :
/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
I tested on several machines and the result is the same - restart automatically.
When Suricata 3.2.1 is compiled with Hyperscan 4.4.1, the problem gone.
I think it is caused by <= Hyperscan 4.4.0 bug.
Hmm, too early to say that. The problem is remained.
What distribution are you using?
Ubuntu Server 16.04.2 LTS with 4.4.0 kernel.
Can you try to reproduce it with most recent version of suricata?
- Assignee set to Community Ticket
- Status changed from New to Closed
Also available in: Atom
PDF