Bug #456
closedSuricata CoreDump with a rule with two byte_extract keywords
Description
#uname -a
Linux 2.6.27.41-170.2.117.fc10.i686 #1 SMP Thu Dec 10 11:00:29 EST 2009 i686 i686 i386 GNU/Linux
#signature
alert udp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ETPRO TROJAN PWS.Win32/Zbot.gen!AF CnC traffic (UDP)"; flow:established,from_server; dsize:440<>512; content:!"|00|"; offset:44; depth:1; byte_extract:1,43,Zbot.AF.Pivot; byte_test:1,=,Zbot.AF.Pivot,44; byte_test:1,=,Zbot.AF.Pivot,45; byte_test:1,=,Zbot.AF.Pivot,46; byte_test:1,=,Zbot.AF.Pivot,47; content:!"|00|"; offset:73; depth:1; byte_extract:1,73,Zbot.AF.Pivot.2; byte_test:1,=,Zbot.AF.Pivot.2,74; byte_test:1,=,Zbot.AF.Pivot.2,75; byte_test:1,=,Zbot.AF.Pivot.2,76; byte_test:1,=,Zbot.AF.Pivot.2,77; byte_test:1,=,Zbot.AF.Pivot.2,78; byte_test:1,=,Zbot.AF.Pivot.2,79; byte_test:1,=,Zbot.AF.Pivot.2,80; byte_test:1,=,Zbot.AF.Pivot.2,81; byte_test:1,=,Zbot.AF.Pivot.2,82; byte_test:1,=,Zbot.AF.Pivot.2,83; byte_test:1,=,Zbot.AF.Pivot.2,84; byte_test:1,=,Zbot.AF.Pivot.2,85; byte_test:1,=,Zbot.AF.Pivot.2,86; byte_test:1,=,Zbot.AF.Pivot.2,87; byte_test:1,=,Zbot.AF.Pivot.2,88; byte_test:1,=,Zbot.AF.Pivot.2,89; byte_test:1,=,Zbot.AF.Pivot.2,90; byte_test:1,=,Zbot.AF.Pivot.2,91; classtype:trojan-activity; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=566859#none; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fZbot.gen!AF; reference:md5,202984ae8587bf9e0a295ac1de9d1c34; sid:2989; rev:1;)
[root@krynn oisf]# suricata
[3591] 24/4/2012 -
[3591] 24/4/2012 -- 19:03:44 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 1
[3591] 24/4/2012 -- 19:03:45 - (suricata.c:1506) <Info> (main) -- preallocated 50 packets. Total memory 215500
[3591] 24/4/2012 -- 19:03:45 - (flow.c:910) <Info> (FlowInitConfig) -- allocated 524288 bytes of memory for the flow hash... 65536 buckets of size 8
[3591] 24/4/2012 -- 19:03:45 - (flow.c:930) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 168
[3591] 24/4/2012 -- 19:03:45 - (flow.c:932) <Info> (FlowInitConfig) -- flow memory usage: 2204288 bytes, maximum: 33554432
[3591] 24/4/2012 -- 19:03:45 - (detect.c:643) <Info> (SigLoadSignatures) -- 1 rule files processed. 25 rules succesfully loaded, 0 rules failed
[3591] 24/4/2012 -- 19:03:45 - (detect.c:2458) <Info> (SigAddressPrepareStage1) -- 25 signatures processed. 0 are IP-only rules, 13 are inspecting packet payload, 17 inspect application layer, 0 are decoder event only
[3591] 24/4/2012 -- 19:03:45 - (detect.c:2461) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
[3591] 24/4/2012 -- 19:03:45 - (detect.c:3085) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[3591] 24/4/2012 -- 19:03:45 - (detect.c:3691) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[3591] 24/4/2012 -- 19:03:45 - (util-profiling.c:619) <Info> (SCProfilingInitRuleCounters) -- Registered 25 rule profiling counters.
[3591] 24/4/2012 -- 19:03:45 - (util-threshold-config.c:135) <Warning> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory
[3591] 24/4/2012 -- 19:03:45 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[3591] 24/4/2012 -- 19:03:45 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[3591] 24/4/2012 -- 19:03:45 - (alert-unified2-alert.c:1207) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename unified2.alert, limit 32 MB
[3591] 24/4/2012 -- 19:03:45 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized: http.log
[3592] 24/4/2012 -- 19:03:45 - (source-pcap-file.c:212) <Info> (ReceivePcapFileThreadInit) -- reading pcap file /home/kelleck/sandnetR/ce6e46ee84563c80260a8174f4150ccc.pcap
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:348) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:360) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:376) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:382) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:388) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:405) <Info> (StreamTcpInitConfig) -- stream "checksum_validation": disabled
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:415) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:433) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:451) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:492) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
[3591] 24/4/2012 -- 19:03:45 - (stream-tcp.c:494) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
[3591] 24/4/2012 -- 19:03:45 - (tm-threads.c:1831) <Info> (TmThreadWaitOnThreadInit) -- all 3 packet processing threads, 3 management threads initialized, engine started.
[3592] 24/4/2012 -- 19:03:45 - (source-pcap-file.c:189) <Info> (ReceivePcapFileLoop) -- pcap file end of file reached (pcap err code 0)
[3591] 24/4/2012 -- 19:03:45 - (suricata.c:1655) <Info> (main) -- stopping engine, waiting for outstanding packets
[3591] 24/4/2012 -- 19:03:45 - (suricata.c:1690) <Info> (main) -- all packets processed by threads, stopping engine
[3595] 24/4/2012 -- 19:03:46 - (flow-manager.c:293) <Info> (FlowManagerThread) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[3591] 24/4/2012 -- 19:03:46 - (suricata.c:1719) <Info> (main) -- time elapsed 0.782s
[3592] 24/4/2012 -- 19:03:46 - (source-pcap-file.c:278) <Info> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 701 packets, 532552 bytes
[3592] 24/4/2012 -- 19:03:46 - (stream-tcp.c:3987) <Info> (StreamTcpExitPrintStats) -- Stream TCP processed 82 TCP packets
- glibc detected * suricata: free(): invalid next size (fast): 0x09cee660 *
======= Backtrace: =========
/lib/libc.so.6[0x7b73a4]
/lib/libc.so.6(cfree+0x96)[0x7b9356]
suricata[0x8070672]
suricata[0x812043e]
/lib/libpthread.so.0[0x8cb51f]
/lib/libc.so.6(clone+0x5e)[0x82c04e] ======= Memory map: ========
00110000-00126000 r-xp 00000000 fd:00 2902271 /lib/libnet.so.1.5.0
00126000-00127000 rw-p 00015000 fd:00 2902271 /lib/libnet.so.1.5.0
00127000-00128000 rw-p 00127000 00:00 0
00562000-00563000 r-xp 00562000 00:00 0 [vdso]
00565000-00569000 r-xp 00000000 fd:00 2902269 /lib/libcap-ng.so.0.0.0
00569000-0056a000 r--p 00003000 fd:00 2902269 /lib/libcap-ng.so.0.0.0
0056a000-0056b000 rw-p 00004000 fd:00 2902269 /lib/libcap-ng.so.0.0.0
00723000-00743000 r-xp 00000000 fd:00 2902295 /lib/ld-2.9.so
00744000-00745000 r--p 00020000 fd:00 2902295 /lib/ld-2.9.so
00745000-00746000 rw-p 00021000 fd:00 2902295 /lib/ld-2.9.so
00748000-008b6000 r-xp 00000000 fd:00 2902309 /lib/libc-2.9.so
008b6000-008b8000 r--p 0016e000 fd:00 2902309 /lib/libc-2.9.so
008b8000-008b9000 rw-p 00170000 fd:00 2902309 /lib/libc-2.9.so
008b9000-008bc000 rw-p 008b9000 00:00 0
008c5000-008db000 r-xp 00000000 fd:00 2902310 /lib/libpthread-2.9.so
008db000-008dc000 r--p 00015000 fd:00 2902310 /lib/libpthread-2.9.so
008dc000-008dd000 rw-p 00016000 fd:00 2902310 /lib/libpthread-2.9.so
008dd000-008df000 rw-p 008dd000 00:00 0
0090c000-0091f000 r-xp 00000000 fd:00 2902321 /lib/libz.so.1.2.3
0091f000-00920000 rw-p 00012000 fd:00 2902321 /lib/libz.so.1.2.3
00941000-00956000 r-xp 00000000 fd:00 961215 /usr/lib/libmagic.so.1.0.0
00956000-00957000 rw-p 00015000 fd:00 961215 /usr/lib/libmagic.so.1.0.0
00a5b000-00a8e000 r-xp 00000000 fd:00 2990352 /usr/lib/libpcap.so.1.1.1
00a8e000-00a8f000 rw-p 00032000 fd:00 2990352 /usr/lib/libpcap.so.1.1.1
00a8f000-00a90000 rw-p 00a8f000 00:00 0
00ccc000-00cd9000 r-xp 00000000 fd:00 2902323 /lib/libgcc_s-4.3.2-20081105.so.1
00cd9000-00cda000 rw-p 0000c000 fd:00 2902323 /lib/libgcc_s-4.3.2-20081105.so.1
00d14000-00d23000 r-xp 00000000 fd:00 959998 /usr/local/lib/libhtp-0.2.so.1.0.2
00d23000-00d24000 rw-p 0000f000 fd:00 959998 /usr/local/lib/libhtp-0.2.so.1.0.2
00e1a000-00e38000 r-xp 00000000 fd:00 2990332 /usr/lib/libyaml-0.so.1.1.0
00e38000-00e39000 rw-p 0001d000 fd:00 2990332 /usr/lib/libyaml-0.so.1.1.0
02246000-02277000 r-xp 00000000 fd:00 2900489 /lib/libpcre.so.0.0.1
02277000-02278000 rw-p 00030000 fd:00 2900489 /lib/libpcre.so.0.0.1
08048000-08184000 r-xp 00000000 fd:00 965661 /usr/local/bin/suricata
08184000-08188000 rw-p 0013c000 fd:00 965661 /usr/local/bin/suricata
08188000-085b9000 rw-p 08188000 00:00 0
0902c000-0b198000 rw-p 0902c000 00:00 0 [heap]
b3932000-b3933000 ---p b3932000 00:00 0
b3933000-b4333000 rw-p b3933000 00:00 0
b4333000-b4334000 ---p b4333000 00:00 0
b4334000-b4d34000 rw-p b4334000 00:00 0
b4d34000-b4d35000 ---p b4d34000 00:00 0
b4d35000-b5735000 rw-p b4d35000 00:00 0
b5735000-b5736000 ---p b5735000 00:00 0
b5736000-b6136000 rw-p b5736000 00:00 0
b6136000-b6137000 ---p b6136000 00:00 0
b6137000-b6b37000 rw-p b6137000 00:00 0
b6b37000-b6b38000 ---p b6b37000 00:00 0
b6b38000-b7538000 rw-p b6b38000 00:00 0
b7538000-b76ce000 rw-p 00000000 fd:00 1000228 /usr/share/file/magic.mgc
b76ce000-b770f000 rw-p b76ce000 00:00 0
b7710000-b7898000 rw-p b7710000 00:00 0
b78ad000-b78b3000 rw-p b78ad000 00:00 0
bfbe0000-bfc26000 rw-p bffba000 00:00 0 [stack]
Aborted (core dumped)
Files
Updated by Anoop Saldanha over 12 years ago
- Assignee set to Anoop Saldanha
Can you supply the pcap for this?
Updated by Victor Julien over 12 years ago
- Target version set to 1.3beta2
- Estimated time set to 4.00 h
Updated by Anoop Saldanha over 12 years ago
- File 0001-bug-456-fix-for-byte_extract-to-have-array-of-the-ri.patch 0001-bug-456-fix-for-byte_extract-to-have-array-of-the-ri.patch added
fix attached.
Updated by Victor Julien over 12 years ago
- Status changed from Resolved to Closed
- % Done changed from 0 to 100
Applied, thanks Anoop.