Project

General

Profile

Actions

Bug #2158

closed

Suricata v4.0.0-beta1 dns_query; segmentation fault

Added by Bryant Smith over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

During the Denver training session I ran in to an issue when trying to implement dns_query; into a dns detection signature. Below is the output of a working signature and also the output of the failed signature against the same PCAP. This only seems to be an issue with 4.0.0-beta1. I tested it against 3.2.1 and everything works as it should.

Working Signature

==============================================================================================================
alert dns any any -> any any (msg:"Lab 7"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; content:"|0e|drivres-update"; sid:223344; rev:1;)

$ ./suri.sh Labs/Lab7/ex1_section8_Sofacy.pcap
26/6/2017 -- 13:09:41 - <Notice> - This is Suricata version 4.0.0-beta1 RELEASE
26/6/2017 -- 13:09:41 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
26/6/2017 -- 13:09:41 - <Notice> - Signal Received. Stopping engine.
26/6/2017 -- 13:09:42 - <Notice> - Pcap-file module read 10 packets, 2472 bytes

03/22/2015-06:36:09.077229 [**] [1:223344:1] Lab 7 [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.35.10:1030 -> 10.55.99.1:53

--------------------------------------------------------------------------
Date: 6/26/2017 -- 13:09:42. Sorted by: average ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 223344 1 1 18622 100.00 1 1 18622 18622.00 18622.00 0.00

==============================================================================================================

Failed Signature

==============================================================================================================
alert dns any any -> any any (msg:"Lab 7"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dns_query; content:"drivres-update"; sid:223344; rev:1;)

$ ./suri.sh Labs/Lab7/ex1_section8_Sofacy.pcap
26/6/2017 -- 13:11:20 - <Notice> - This is Suricata version 4.0.0-beta1 RELEASE
26/6/2017 -- 13:11:20 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
./suri.sh: line 7: 9736 Segmentation fault (core dumped) sudo suricata -c /etc/suricata/suricata.yaml -k none -r $1 -l /tmp/suricata

==============================================================================================================


Files

ex1_section8_Sofacy.pcap.zip (789 Bytes) ex1_section8_Sofacy.pcap.zip Bryant Smith, 06/26/2017 03:25 PM
Actions #1

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
Actions #2

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF