Project

General

Profile

Actions
Copy link

Bug #2714

closed

Failed Assertion, Suricata Abort - util-mpm-hs.c line 163

Added by booble tins almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.0.7
Affected Versions:
4.0.0, 4.0.1, 4.0.2/4.0.3, 4.0.4, 4.0.5, 4.0.6
Effort:
Difficulty:
Label:

Description

You may wish to refer to: Bug #2195 as this may have been the root of that problem as well -- it looks similar.

I've purposely chosen a small set of rules (see attached) to demonstrate that this is the result of similar/duplicate patterns and not the number of patterns.

I'm not convinced this is a Hyperscan issue, but I haven't dug deeply into the details. The Suricata code referenced is making a simple assertion looking dupes that fails. Is it possible there is a truncation somewhere that is making the rules which contain: "/wf/clickupn=..." (see attached) appear the same to the hash but the memory check fails?

To reproduce
  • Enable the file with 16 rules. Suricata will abort during dupe cull.
  • Enable either of the files with 8 rules. Suricata will not abort. Notice that the files with 8 rules, when combined, are exactly the same as the file with 16 rules.

This is a dupe/interaction issue.

I've tested this with Hyperscan 5.0 and 4.6.

Let me know if you need anything else.

Thanks

Files

Download all files
16.0 (7.52 KB) 16.0 16 rules which cause an abort with Hyperscan enabled booble tins, 11/26/2018 05:52 AM
8.1.0 (3.74 KB) 8.1.0 8 of the 16 rules which do not cause an abort with Hyperscan enabled booble tins, 11/26/2018 05:52 AM
8.2.0 (3.78 KB) 8.2.0 The other 8 of the 16 rules which do not cause an abort with Hyperscan enabled booble tins, 11/26/2018 05:52 AM
Actions
Copy link

Also available in: Atom PDF