Bug #2158
closedSuricata v4.0.0-beta1 dns_query; segmentation fault
Description
During the Denver training session I ran in to an issue when trying to implement dns_query; into a dns detection signature. Below is the output of a working signature and also the output of the failed signature against the same PCAP. This only seems to be an issue with 4.0.0-beta1. I tested it against 3.2.1 and everything works as it should.
Working Signature
==============================================================================================================
alert dns any any -> any any (msg:"Lab 7"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; content:"|0e|drivres-update"; sid:223344; rev:1;)
$ ./suri.sh Labs/Lab7/ex1_section8_Sofacy.pcap
26/6/2017 -- 13:09:41 - <Notice> - This is Suricata version 4.0.0-beta1 RELEASE
26/6/2017 -- 13:09:41 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
26/6/2017 -- 13:09:41 - <Notice> - Signal Received. Stopping engine.
26/6/2017 -- 13:09:42 - <Notice> - Pcap-file module read 10 packets, 2472 bytes
03/22/2015-06:36:09.077229 [**] [1:223344:1] Lab 7 [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.35.10:1030 -> 10.55.99.1:53
--------------------------------------------------------------------------
Date: 6/26/2017 -- 13:09:42. Sorted by: average ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 223344 1 1 18622 100.00 1 1 18622 18622.00 18622.00 0.00
==============================================================================================================
Failed Signature
==============================================================================================================
alert dns any any -> any any (msg:"Lab 7"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dns_query; content:"drivres-update"; sid:223344; rev:1;)
$ ./suri.sh Labs/Lab7/ex1_section8_Sofacy.pcap
26/6/2017 -- 13:11:20 - <Notice> - This is Suricata version 4.0.0-beta1 RELEASE
26/6/2017 -- 13:11:20 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
./suri.sh: line 7: 9736 Segmentation fault (core dumped) sudo suricata -c /etc/suricata/suricata.yaml -k none -r $1 -l /tmp/suricata
==============================================================================================================
Files