Project

General

Profile

Bug #4261

Mismatch between capture and outputs in rules leads to seg fault

Added by Shawn Yao 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Parsing bug: Given 2 or more outputs for one capture in the regex, there will be a segmentation fault.

For example,

alert tcp any any -> any any (msg:"get username in nntp"; \

content:"USER"; \
pcre: "/AUTHINFO USER\r\n/i, pkt:nntp_username, pkt:nntp_password";\
sid:2000020;\
gid:100;)

Files

bug2.png (34.5 KB) bug2.png Shawn Yao, 01/12/2021 05:18 AM
bug1.png (41.2 KB) bug1.png Shawn Yao, 01/12/2021 05:18 AM
nntp.pcap (177 KB) nntp.pcap you can try it now Shawn Yao, 02/07/2021 06:53 AM

Related issues

Copied to Bug #4287: Mismatch between capture and outputs in rules leads to seg faultClosedJeff LucovskyActions
Copied to Bug #4288: Mismatch between capture and outputs in rules leads to seg faultClosedVictor JulienActions
#1

Updated by Shawn Yao 5 months ago

For example,

alert tcp any any -> any any (msg:"get username in nntp"; \
content:"USER"; \
pcre: "/AUTHINFO USER\r\n/i, pkt:nntp_username, pkt:nntp_password";\
sid:2000020;\
gid:100;)
#2

Updated by Shawn Yao 5 months ago

I'm not familiar to this editor.
If you want to see details, Open the bug pics, pls.

#3

Updated by Victor Julien 5 months ago

  • Status changed from New to Assigned
  • Assignee changed from Eric Leblond to Jeff Lucovsky
  • Target version set to 7.0rc1
  • Label Needs backport to 5.0, Needs backport to 6.0 added
#4

Updated by Jeff Lucovsky 5 months ago

  • Copied to Bug #4287: Mismatch between capture and outputs in rules leads to seg fault added
#5

Updated by Jeff Lucovsky 5 months ago

  • Copied to Bug #4288: Mismatch between capture and outputs in rules leads to seg fault added
#6

Updated by Jeff Lucovsky 5 months ago

Can you share your pcap file?

#7

Updated by Shawn Yao 5 months ago

alert tcp any any -> any any (msg:"nntp get username";\
        content:"AUTHINFO USER";\
        pcre: "/AUTHINFO USER\s+([^\s]+)\r\n/i, pkt:nntp_user, pkt:nntp_pass";\
        sid:2000030;\
        gid:100;)

The key for test, you should write the number of "pkt" or "flow" more than groups in pcre.

#8

Updated by Jeff Lucovsky 5 months ago

I've identified a fix .. until it's ready, please try a rule with two captures.
The rule you listed only captures the NNTP user -- this triggers the segfault (which will be fixed).

#9

Updated by Jeff Lucovsky 5 months ago

  • Status changed from Assigned to In Review

Also available in: Atom PDF