Project

General

Profile

Actions

Bug #4261

closed

Mismatch between capture and outputs in rules leads to seg fault

Added by Shawn Yao 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Parsing bug: Given 2 or more outputs for one capture in the regex, there will be a segmentation fault.

For example,

alert tcp any any -> any any (msg:"get username in nntp"; \

content:"USER"; \
pcre: "/AUTHINFO USER\r\n/i, pkt:nntp_username, pkt:nntp_password";\
sid:2000020;\
gid:100;)

Files

bug2.png (34.5 KB) bug2.png Shawn Yao, 01/12/2021 05:18 AM
bug1.png (41.2 KB) bug1.png Shawn Yao, 01/12/2021 05:18 AM
nntp.pcap (177 KB) nntp.pcap you can try it now Shawn Yao, 02/07/2021 06:53 AM

Related issues

Copied to Bug #4287: Mismatch between capture and outputs in rules leads to seg faultClosedJeff LucovskyActions
Copied to Bug #4288: Mismatch between capture and outputs in rules leads to seg faultClosedVictor JulienActions
Actions #1

Updated by Shawn Yao 8 months ago

For example,

alert tcp any any -> any any (msg:"get username in nntp"; \
content:"USER"; \
pcre: "/AUTHINFO USER\r\n/i, pkt:nntp_username, pkt:nntp_password";\
sid:2000020;\
gid:100;)
Actions #2

Updated by Shawn Yao 8 months ago

I'm not familiar to this editor.
If you want to see details, Open the bug pics, pls.

Actions #3

Updated by Victor Julien 8 months ago

  • Status changed from New to Assigned
  • Assignee changed from Eric Leblond to Jeff Lucovsky
  • Target version set to 7.0rc1
  • Label Needs backport to 5.0, Needs backport to 6.0 added
Actions #4

Updated by Jeff Lucovsky 8 months ago

  • Copied to Bug #4287: Mismatch between capture and outputs in rules leads to seg fault added
Actions #5

Updated by Jeff Lucovsky 8 months ago

  • Copied to Bug #4288: Mismatch between capture and outputs in rules leads to seg fault added
Actions #6

Updated by Jeff Lucovsky 7 months ago

Can you share your pcap file?

Actions #7

Updated by Shawn Yao 7 months ago

alert tcp any any -> any any (msg:"nntp get username";\
        content:"AUTHINFO USER";\
        pcre: "/AUTHINFO USER\s+([^\s]+)\r\n/i, pkt:nntp_user, pkt:nntp_pass";\
        sid:2000030;\
        gid:100;)

The key for test, you should write the number of "pkt" or "flow" more than groups in pcre.

Actions #8

Updated by Jeff Lucovsky 7 months ago

I've identified a fix .. until it's ready, please try a rule with two captures.
The rule you listed only captures the NNTP user -- this triggers the segfault (which will be fixed).

Actions #9

Updated by Jeff Lucovsky 7 months ago

  • Status changed from Assigned to In Review
Actions

Also available in: Atom PDF