Project

General

Profile

Actions

Bug #2042

closed

Difference protocol of MD5 rule will restart Suricata automatically

Added by Samiux A about 7 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using TCP on the following rule, Suricata will restart itself automatically.

reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)

When using HTTP on the same rule, Suricata will not restart itself automatically.

reject http $EXTERNAL_NET any -> $HOME_NET any (msg:"ALMOND CROISSANTS Malicious file - CryptXXX Ransomware MD5 Hash"; flow:established; fileext:!"iso."; filestore; filemd5:cryptxxx_md5; classtype: suspicious-filename-detect; sid:1060335; rev:3;)

Affected : Suricata <= 3.2.1
Expect : produce error message

Actions #1

Updated by Andreas Herz about 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

I can not reproduce your issue, at least suricata is not restarting itself with the first reject tcp rule. How do you run suricata and what compile options did you use?

Actions #2

Updated by Samiux A about 7 years ago

I compile Suricata like that :

./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-nfqueue --enable-pie --enable-gccprotect --enable-gccprofile \
--enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.1/ \
--with-libluajit-libraries=/usr/local/lib/ \
CFLAGS="-ggdb -O0 -ftrapv -fPIE -Wl,-z,relro,-z,now -g -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-all --param=ssp-buffer-size=4 -Wformat -Werror=format-security" \
SECCFLAGS="-ftrapv -fPIE -Wl,-z,relro,-z,now -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wformat -Wformat-security" \
--with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/

I run Suricata like that :

/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D

I tested on several machines and the result is the same - restart automatically.

Actions #3

Updated by Samiux A about 7 years ago

When Suricata 3.2.1 is compiled with Hyperscan 4.4.1, the problem gone.

I think it is caused by <= Hyperscan 4.4.0 bug.

Actions #4

Updated by Samiux A about 7 years ago

Hmm, too early to say that. The problem is remained.

Actions #5

Updated by Andreas Herz about 7 years ago

What distribution are you using?

Actions #6

Updated by Samiux A about 7 years ago

Ubuntu Server 16.04.2 LTS with 4.4.0 kernel.

Actions #7

Updated by Andreas Herz almost 6 years ago

Can you try to reproduce it with most recent version of suricata?

Actions #8

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions #9

Updated by Andreas Herz over 4 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF