Bug #2714
closedFailed Assertion, Suricata Abort - util-mpm-hs.c line 163
Description
You may wish to refer to: Bug #2195 as this may have been the root of that problem as well -- it looks similar.
I've purposely chosen a small set of rules (see attached) to demonstrate that this is the result of similar/duplicate patterns and not the number of patterns.
I'm not convinced this is a Hyperscan issue, but I haven't dug deeply into the details. The Suricata code referenced is making a simple assertion looking dupes that fails. Is it possible there is a truncation somewhere that is making the rules which contain: "/wf/clickupn=..." (see attached) appear the same to the hash but the memory check fails?
To reproduce- Enable the file with 16 rules. Suricata will abort during dupe cull.
- Enable either of the files with 8 rules. Suricata will not abort. Notice that the files with 8 rules, when combined, are exactly the same as the file with 16 rules.
This is a dupe/interaction issue.
I've tested this with Hyperscan 5.0 and 4.6.
Let me know if you need anything else.
Thanks
Files
Updated by Victor Julien almost 6 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
I'll have a look, thanks for the report.
Updated by Victor Julien almost 6 years ago
- Priority changed from Normal to High
Updated by Victor Julien almost 6 years ago
- Target version set to 4.0.7
- Affected Versions 4.0.1, 4.0.2/4.0.3, 4.0.4, 4.0.5, 4.0.6 added
- Affected Versions deleted (
4.0beta1)
Updated by Victor Julien almost 6 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal