Project

General

Profile

Actions

Bug #4261

closed

Mismatch between capture and outputs in rules leads to seg fault

Added by Shawn Yao over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Parsing bug: Given 2 or more outputs for one capture in the regex, there will be a segmentation fault.

For example,

alert tcp any any -> any any (msg:"get username in nntp"; \

content:"USER"; \
pcre: "/AUTHINFO USER\r\n/i, pkt:nntp_username, pkt:nntp_password";\
sid:2000020;\
gid:100;)

Files

bug2.png (34.5 KB) bug2.png Shawn Yao, 01/12/2021 05:18 AM
bug1.png (41.2 KB) bug1.png Shawn Yao, 01/12/2021 05:18 AM
nntp.pcap (177 KB) nntp.pcap you can try it now Shawn Yao, 02/07/2021 06:53 AM

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #4287: Mismatch between capture and outputs in rules leads to seg faultClosedJeff LucovskyActions
Copied to Suricata - Bug #4288: Mismatch between capture and outputs in rules leads to seg faultClosedVictor JulienActions
Actions

Also available in: Atom PDF