Bug #4858
closedfuzz: Timeout with pcre
Added by Philippe Antoine over 3 years ago. Updated 9 days ago.
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40380
Reproducer signature is alert ip any any -> any any (pcre:"/.*\.loca|domain/"; sid:1;)
alert ip any any -> any any (pcre:"/.*\seqppcre:"/.*|.localdom 'HTTP/2.FPC0e:"/.*|.localdomain/"; sid:1;)
alert ip any any -> any any (content:"dummy"; sid:2;)
The second signature makes the run 500 times faster
That is because raw_stream_progress is updated only by PrefilterPktStream
But I am not sure this fast result is always correct...
Files
| lolb.pcap (1.29 KB) lolb.pcap | Philippe Antoine, 11/29/2021 09:11 AM | ||
| pcrexform.rules (255 Bytes) pcrexform.rules | Philippe Antoine, 04/08/2022 08:58 AM | ||
| pcrexform.pcap (421 KB) pcrexform.pcap | Philippe Antoine, 04/08/2022 08:58 AM |
Updated by Philippe Antoine over 3 years ago
So, the next step is to check if
alert ip any any -> any any (pcre:"/testoverpackets/"; sid:1;) alert ip any any -> any any (content:"dummy"; sid:2;)
gives the expected results when testoverpackets is split over 2 packets (with or without the second signature enabled)
Updated by Philippe Antoine over 3 years ago
So, we have indeed a wrong result :
alert ip any any -> any any (pcre:"/HTTP\/2.loc/"; sid:11;) #alert http any any -> any any (content:"dummy"; sid:2;)
/src/suricata -S lol.rules -k none -c suricata.yaml -r /Users/catena/catena/prod/bounty/fuzzpcap/build/lolb.pcap -l log --set stream.reassembly.toserver-chunk-size=25gives either 0 or 3 matches for sid 11
Updated by Philippe Antoine over 3 years ago
Even alert ip any any -> any any (content:"HTTP/2.loc"; sid:11;) alone does not trigger with stream.reassembly.toserver-chunk-size=25
Updated by Victor Julien over 3 years ago
- Status changed from New to Assigned
- Assignee changed from Philippe Antoine to Victor Julien
Can you split this ticket into 2 tickets, one for the pcre timeout and one for the evasion.
Updated by Philippe Antoine over 3 years ago
- Related to Optimization #5076: keyword content does not work over reassembled TCP added
Updated by Philippe Antoine over 3 years ago
- Related to deleted (Optimization #5076: keyword content does not work over reassembled TCP)
Updated by Philippe Antoine over 3 years ago
- Blocked by Optimization #5076: keyword content does not work over reassembled TCP added
Updated by Philippe Antoine over 3 years ago
- File pcrexform.pcap pcrexform.pcap added
- File pcrexform.rules pcrexform.rules added
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44742 is some variant of Regexp DOS :
using rules
alert tcp any any -> any any (file.data; strip_whitespace; pcrexform:"[a-wA-Z]+\S+(.*)\s+HTTP"; content:"/z4>0m"; endswith; sid:124;) alert tcp any any -> any any (file.data; strip_whitespace; pcrexform:"[a-wA-Z]+\s+(.*)\s+HTTP"; content:"pass"; sid:19;)
and a pcap with multiple http files to do this transform where we spend much time in DetectTransformPcrexform/pcre2_match_8
Updated by Philippe Antoine about 3 years ago
For the timeout, I think the solution is to have hyperscan/pcre2 do stream detection, instead of running pcre2 on a 65k payload everytime there is a new packet...
Updated by Victor Julien almost 3 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Philippe Antoine almost 3 years ago
- Target version changed from 7.0.0-rc1 to TBD
I think this can be post 7...
Updated by Victor Julien over 2 years ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Philippe Antoine about 1 year ago
I think this one can be postponed after 8
Updated by Philippe Antoine 10 months ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine 10 months ago
Philippe Antoine wrote in #note-9:
For the timeout, I think the solution is to have hyperscan/pcre2 do stream detection, instead of running pcre2 on a 65k payload everytime there is a new packet...
This hard to implement solution can be investigated after the easy solution to make oss-fuzz happy
Updated by Philippe Antoine 10 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 10 months ago
- Blocked by deleted (Optimization #5076: keyword content does not work over reassembled TCP)
Updated by Philippe Antoine 10 months ago
- Related to Optimization #5076: keyword content does not work over reassembled TCP added
Updated by Philippe Antoine 10 months ago
- Status changed from Resolved to Closed
- Assignee changed from Victor Julien to Philippe Antoine
Updated by Philippe Antoine 10 months ago
- Subject changed from Timeout with pcre to fuzz: Timeout with pcre
Updated by Philippe Antoine 10 months ago
- Related to Feature #7328: detect: use hyper scan streaming mode added
Updated by Philippe Antoine 7 months ago
oss-fuzz found another case with
alert ip any any -> any any (content:!"4008.mp65533";pcre:!"/.detect.alerttcppcre:!/wk"/.*bCaprt.lte.c^hFPC5|\H+?0{},{}n*bbpcre:eCaprt.ltf.cbqoluterttcppcre:!/wk"/.*bCaprt.lte.c^hFPC0|\H+?0{},{}n*bbpcre:eCaprt.lte.cbsolute_o[fset\H+0}{?,{}n*re:eCaprt.flow.wrk.fl|\; dnp3_ind:]5{},{:.c^hF]PC0|absolulows_evicted_plte.c^hFPC0|\W+?3{}H+0*hhhhn/"; pcre:!/.*\A.l,Focaldomain/"; sid:1;)
Updated by Philippe Antoine 7 months ago
Updated by Philippe Antoine 7 months ago
New better fix is https://github.com/OISF/suricata/pull/12350