Actions
Bug #4261
closedMismatch between capture and outputs in rules leads to seg fault
Affected Versions:
Effort:
Difficulty:
low
Label:
Needs backport to 5.0, Needs backport to 6.0
Description
Parsing bug: Given 2 or more outputs for one capture in the regex, there will be a segmentation fault.
For example,
content:"USER"; \alert tcp any any -> any any (msg:"get username in nntp"; \
pcre: "/AUTHINFO USER\r\n/i, pkt:nntp_username, pkt:nntp_password";\
sid:2000020;\
gid:100;)
Files
Updated by Shawn Yao almost 4 years ago
For example,
alert tcp any any -> any any (msg:"get username in nntp"; \
content:"USER"; \
pcre: "/AUTHINFO USER\r\n/i, pkt:nntp_username, pkt:nntp_password";\
sid:2000020;\
gid:100;)
Updated by Shawn Yao almost 4 years ago
I'm not familiar to this editor.
If you want to see details, Open the bug pics, pls.
Updated by Victor Julien almost 4 years ago
- Status changed from New to Assigned
- Assignee changed from Eric Leblond to Jeff Lucovsky
- Target version set to 7.0.0-beta1
- Label Needs backport to 5.0, Needs backport to 6.0 added
Updated by Jeff Lucovsky over 3 years ago
- Copied to Bug #4287: Mismatch between capture and outputs in rules leads to seg fault added
Updated by Jeff Lucovsky over 3 years ago
- Copied to Bug #4288: Mismatch between capture and outputs in rules leads to seg fault added
Updated by Shawn Yao over 3 years ago
alert tcp any any -> any any (msg:"nntp get username";\
content:"AUTHINFO USER";\
pcre: "/AUTHINFO USER\s+([^\s]+)\r\n/i, pkt:nntp_user, pkt:nntp_pass";\
sid:2000030;\
gid:100;)
The key for test, you should write the number of "pkt" or "flow" more than groups in pcre.
Updated by Jeff Lucovsky over 3 years ago
I've identified a fix .. until it's ready, please try a rule with two captures.
The rule you listed only captures the NNTP user -- this triggers the segfault (which will be fixed).
Updated by Jeff Lucovsky over 3 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien over 3 years ago
- Status changed from In Review to Closed
Actions