Actions
Bug #1254
closedsig parsing crash on malformed rev keyword
Affected Versions:
Effort:
Difficulty:
Label:
Description
This sig leads to a segv:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Potential CnC Response DONE"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Length|3A| 4|0D 0A|"; http_header; file_data; content:"DONE"; within:4; classtype:trojan-activity; sid:1769992; rev;1;)
Note: rev;1;, should be rev:1;
Updated by Andreas Moe over 10 years ago
I checked this error and it seems to happen with every keyword. Putting ";" instead of ":" after a keyword (tested with msg, content, dsize, sid and rev) results in a segmentation fault.
msg with ";":
Suricata-Main[30738]: segfault at 0 ip 0000000000499df5 sp 00007fff66b24760 error 4 in suricata[400000+1b1000]
sid with ";"
Suricata-Main[30748]: segfault at 0 ip 00000000004a7b16 sp 00007fffe52836c0 error 4 in suricata[400000+1b1000]
rev with ";"
Suricata-Main[30751]: segfault at 0 ip 00000000004a6116 sp 00007fff302016a0 error 4 in suricata[400000+1b1000]
dsize with ";"
Suricata-Main[30741]: segfault at 0 ip 00007f46a21db85f sp 00007fff7bc8a958 error 4 in libc-2.12.so[7f46a20a8000+18b000]
content with ";"
Suricata-Main[30744]: segfault at 0 ip 00007fa5cc19f85f sp 00007fff0308a638 error 4 in libc-2.12.so[7fa5cc06c000+18b000]
Updated by Victor Julien about 10 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien about 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Actions