Project

General

Profile

Actions

Bug #2714

closed

Failed Assertion, Suricata Abort - util-mpm-hs.c line 163

Added by booble tins about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

You may wish to refer to: Bug #2195 as this may have been the root of that problem as well -- it looks similar.

I've purposely chosen a small set of rules (see attached) to demonstrate that this is the result of similar/duplicate patterns and not the number of patterns.

I'm not convinced this is a Hyperscan issue, but I haven't dug deeply into the details. The Suricata code referenced is making a simple assertion looking dupes that fails. Is it possible there is a truncation somewhere that is making the rules which contain: "/wf/clickupn=..." (see attached) appear the same to the hash but the memory check fails?

To reproduce
  • Enable the file with 16 rules. Suricata will abort during dupe cull.
  • Enable either of the files with 8 rules. Suricata will not abort. Notice that the files with 8 rules, when combined, are exactly the same as the file with 16 rules.

This is a dupe/interaction issue.

I've tested this with Hyperscan 5.0 and 4.6.

Let me know if you need anything else.

Thanks


Files

16.0 (7.52 KB) 16.0 16 rules which cause an abort with Hyperscan enabled booble tins, 11/26/2018 05:52 AM
8.1.0 (3.74 KB) 8.1.0 8 of the 16 rules which do not cause an abort with Hyperscan enabled booble tins, 11/26/2018 05:52 AM
8.2.0 (3.78 KB) 8.2.0 The other 8 of the 16 rules which do not cause an abort with Hyperscan enabled booble tins, 11/26/2018 05:52 AM
Actions #1

Updated by Victor Julien about 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien

I'll have a look, thanks for the report.

Actions #2

Updated by Victor Julien about 6 years ago

  • Priority changed from Normal to High
Actions #3

Updated by Victor Julien about 6 years ago

  • Target version set to 4.0.7
  • Affected Versions 4.0.1, 4.0.2/4.0.3, 4.0.4, 4.0.5, 4.0.6 added
  • Affected Versions deleted (4.0beta1)
Actions #4

Updated by Victor Julien about 6 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF