Project

General

Profile

Actions
Copy link

Bug #55

closed

Engine Segv's when an invalid configuration file is specified

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
0.8.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

We should probably exit or go ahead and return -1 regardless of --init-errors-fatal being specified if any of the following rules fail to be parsed as other parts of the code rely on them. 

/* http_uri -- for uricontent /
    sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server,established; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
    if (sig == NULL)
        ret = -1;
prevsig = sig;
    de_ctx->sig_list = sig;
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server,established; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
    if (sig == NULL)
        ret = -1;
prevsig->next = sig;
    prevsig = sig;
/* http_host -- for the log-httplog module /
    sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server,established; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.)\\r\\n/m\"; noalert; sid:3;)");
    if (sig == NULL)
        ret = -1;
prevsig->next = sig;
    prevsig = sig;
/* http_ua -- for the log-httplog module /
    sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server,established; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.)\\r\\n/m\"; noalert; sid:4;)");
    if (sig == NULL)
        ret = -1;

coz@coz-desktop:~/downloads/oisfnew$ src/suricata r /home/coz/downloads/dc17ctf.pcap -l ./ -c blah.rules
Warning: Invalid global_log_level assigned by user. Falling back on the default_log_level "Info"
Warning: Invalid global_log_format supplied by user or format length exceeded limit of "128" characters. Falling back on default log_format "[%i] %t - (%f:%l) <%d> (%n) - "
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
[1570] 11/1/2010 -- 08:56:41 - (suricata.c:437) <Info> (main) -- This is Suricata version 0.8.0
[1570] 11/1/2010 -- 08:56:41 - (suricata.c:607) <Info> (main) -- preallocating packets... packet size 92664
[1570] 11/1/2010 -- 08:56:41 - (suricata.c:621) <Info> (main) -- preallocating packets... done: total memory 4633200
[1570] 11/1/2010 -- 08:56:41 - (flow.c:426) <Info> (FlowInitConfig) -- initializing flow engine...
[1570] 11/1/2010 -- 08:56:42 - (flow.c:468) <Info> (FlowInitConfig) -- allocated 3145728 bytes of memory for the flow hash... 65536 buckets of size 48
[1570] 11/1/2010 -- 08:56:42 - (flow.c:482) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 208
[1570] 11/1/2010 -- 08:56:42 - (flow.c:484) <Info> (FlowInitConfig) -- flow memory usage: 3145728 bytes, maximum: 33554432
[1570] 11/1/2010 -- 08:56:42 - (util-rule-vars.c:77) <Error> (SCRuleVarsGetConfVar) -- [ERRCODE: SC_ERR_UNDEFINED_VAR(66)] - Variable "HTTP_PORTS" is not defined in configuration file
[1570] 11/1/2010 -- 08:56:42 - (util-rule-vars.c:77) <Error> (SCRuleVarsGetConfVar) -- [ERRCODE: SC_ERR_UNDEFINED_VAR(66)] - Variable "HTTP_PORTS" is not defined in configuration file
Segmentation fault (core dumped)
coz@coz-desktop:~/downloads/oisfnew$ gdb src/suricata core
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /home/coz/downloads/oisfnew/src/suricata...done.

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libhtp-0.1.so.1...done.
Loaded symbols for /usr/lib/libhtp-0.1.so.1
Reading symbols from /usr/lib/libpcap.so.0.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8
Reading symbols from /usr/local/lib/libpfring.so...done.
Loaded symbols for /usr/local/lib/libpfring.so
Reading symbols from /usr/lib/libnet.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnet.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libyaml-0.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libyaml-0.so.1
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.10.1.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `src/suricata r /home/coz/downloads/dc17ctf.pcap -l ./ -c blah.rules'.
Program terminated with signal 11, Segmentation fault.
#0 0x000000000041865a in SigLoadSignatures (de_ctx=0x1a11620, sig_file=0x0) at detect.c:305
305 prevsig>next = sig;
(gdb) bt full
#0 0x000000000041865a in SigLoadSignatures (de_ctx=0x1a11620, sig_file=0x0) at detect.c:305
prevsig = 0x0
sig = 0x0
rule_files = 0x473529
file = 0x0
ret = -1
r = 0
cnt = 0
cntf = 0
sfile = 0x0
FUNCTION = "SigLoadSignatures"
#1 0x0000000000404ef7 in main (argc=7, argv=0x7fff33051e38) at suricata.c:629
opt = -1
mode = 2
pcap_file = 0x7fff33053606 "/home/coz/downloads/dc17ctf.pcap"
pcap_dev = 0x0
pfring_dev = 0x0
sig_file = 0x0
nfq_id = 0
conf_filename = 0x7fff33053630 "blah.rules"
dump_config = 0
list_unittests = 0
daemon = 0
log_dir = 0x13221a0 "./"
buf = {st_dev = 2055, st_ino = 17351950, st_nlink = 7, st_mode = 16877, st_uid = 1000, st_gid = 1000, pad0 = 0, st_rdev = 0, st_size = 110592, st_blksize = 4096, st_blocks = 224, st_atim = {tv_sec = 1263218160, tv_nsec = 0},
st_mtim = {tv_sec = 1263217963, tv_nsec = 0}, st_ctim = {tv_sec = 1263217963, tv_nsec = 0}, __unused = {0, 0, 0}}
long_opts = {{name = 0x4a5848 "dump-config", has_arg = 0, flag = 0x7fff3305190c, val = 1}, {name = 0x4a5854 "pfring-int", has_arg = 1, flag = 0x0, val = 0}, {name = 0x4a585f "pfring-clusterid", has_arg = 1, flag = 0x0,
val = 0}, {name = 0x4a5870 "unittest-filter", has_arg = 1, flag = 0x0, val = 85}, {name = 0x4a5880 "list-unittests", has_arg = 0, flag = 0x7fff33051908, val = 1}, {name = 0x4a588f "init-errors-fatal", has_arg = 0,
flag = 0x0, val = 0}, {name = 0x4a58a1 "fatal-unittests", has_arg = 0, flag = 0x0, val = 0}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
option_index = 0
short_opts = "c:Dhi:l:q:r:us:U:V"
__FUNCTION = "main"
c = 255 '\377'
i = 50
de_ctx = 0x1a11620
start_time = {tv_sec = -450755873996800, tv_usec = 139821930291200}

Reported to the list as.

Hello there ,
I am having trouble running suricata with rules file, everytime i start suricata i get this msg :

root@test:~/suricata-current# suricata c suricata.yaml -i eth1 -c /etc/snort/rules/x11.rules
Warning: Invalid global_log_level assigned by user. Falling back on the default_log_level "Info"
Warning: Invalid global_log_format supplied by user or format length exceeded limit of "128" characters. Falling back on default log_format "[%i] %t - (%f:%l) <%d> (%n) - "
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
[26040] 11/1/2010 -- 08:39:17 - (suricata.c:425) <Info> (main) -- This is Suricata version 0.8.0
  • glibc detected * suricata: free(): invalid pointer: 0xb7edc2a1 * ======= Backtrace: =========
    /lib/tls/i686/cmov/libc.so.6[0xb7e1aa85]
    /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e1e4f0]
    suricata[0x80a725a]
    suricata[0x80a741a]
    suricata[0x804b2aa]
    /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7dc5450]
    suricata[0x804a961] ======= Memory map: ========
    08048000-080ca000 r-xp 00000000 08:01 91327 /usr/local/bin/suricata
    080ca000-080cb000 rw-p 00082000 08:01 91327 /usr/local/bin/suricata
    080cb000-08119000 rw-p 080cb000 00:00 0 [heap]
    b7c00000-b7c21000 rw-p b7c00000 00:00 0
    b7c21000-b7d00000 ---p b7c21000 00:00 0
    b7d87000-b7d91000 r-xp 00000000 08:01 1777680 /lib/libgcc_s.so.1
    b7d91000-b7d92000 rw-p 0000a000 08:01 1777680 /lib/libgcc_s.so.1
    b7d99000-b7d9a000 rw-p b7d99000 00:00 0
    b7d9a000-b7dae000 r-xp 00000000 08:01 83916 /usr/lib/libz.so.1.2.3.3
    b7dae000-b7daf000 rw-p 00013000 08:01 83916 /usr/lib/libz.so.1.2.3.3
    b7daf000-b7ef8000 r-xp 00000000 08:01 1777688 /lib/tls/i686/cmov/libc-2.7.so
    b7ef8000-b7ef9000 r--p 00149000 08:01 1777688 /lib/tls/i686/cmov/libc-2.7.so
    b7ef9000-b7efb000 rw-p 0014a000 08:01 1777688 /lib/tls/i686/cmov/libc-2.7.so
    b7efb000-b7efe000 rw-p b7efb000 00:00 0
    b7efe000-b7f24000 r-xp 00000000 08:01 87668 /usr/lib/libpcre.so.3.12.1
    b7f24000-b7f25000 rw-p 00026000 08:01 87668 /usr/lib/libpcre.so.3.12.1
    b7f25000-b7f26000 rw-p b7f25000 00:00 0
    b7f26000-b7f41000 r-xp 00000000 08:01 565249 /usr/local/lib/libyaml-0.so.2.0.1
    b7f41000-b7f42000 rw-p 0001a000 08:01 565249 /usr/local/lib/libyaml-0.so.2.0.1
    b7f42000-b7f56000 r-xp 00000000 08:01 1777702 /lib/tls/i686/cmov/libpthread-2.7.so
    b7f56000-b7f58000 rw-p 00013000 08:01 1777702 /lib/tls/i686/cmov/libpthread-2.7.so
    b7f58000-b7f5a000 rw-p b7f58000 00:00 0
    b7f5a000-b7f60000 r-xp 00000000 08:01 88329 /usr/lib/libnfnetlink.so.0.2.0
    b7f60000-b7f61000 rw-p 00005000 08:01 88329 /usr/lib/libnfnetlink.so.0.2.0
    b7f61000-b7f63000 r-xp 00000000 08:01 88309 /usr/lib/libnetfilter_queue.so.1.1.0
    b7f63000-b7f64000 rw-p 00001000 08:01 88309 /usr/lib/libnetfilter_queue.so.1.1.0
    b7f64000-b7f77000 r-xp 00000000 08:01 89678 /usr/lib/libnet.so.1.3.0
    b7f77000-b7f78000 rw-p 00013000 08:01 89678 /usr/lib/libnet.so.1.3.0
    b7f78000-b7f7a000 rw-p b7f78000 00:00 0
    b7f7a000-b7f97000 r-xp 00000000 08:01 87729 /usr/lib/libpcap.so.0.7.2
    b7f97000-b7f98000 rw-p 0001d000 08:01 87729 /usr/lib/libpcap.so.0.7.2
    b7f98000-b7fa6000 r-xp 00000000 08:01 88130 /usr/lib/libhtp-0.1.so.1.0.2
    b7fa6000-b7fa7000 rw-p 0000e000 08:01 88130 /usr/lib/libhtp-0.1.so.1.0.2
    b7fac000-b7fb0000 rw-p b7fac000 00:00 0
    b7fb0000-b7fb1000 r-xp b7fb0000 00:00 0 [vdso]
    b7fb1000-b7fcb000 r-xp 00000000 08:01 1779190 /lib/ld-2.7.so
    b7fcb000-b7fcd000 rw-p 00019000 08:01 1779190 /lib/ld-2.7.so
    bffc9000-bffde000 rw-p bffeb000 00:00 0 [stack]
    Aborted

Running Ubuntu 8.04 server

I will be pleased for any help

thanks in advance
Ihab El Bakri

Files

Download all files
0001-change-behavior-when-http-log-pcre-sigs-fail.patch (2.63 KB) 0001-change-behavior-when-http-log-pcre-sigs-fail.patch proper error handling when static sig parsing fails Will Metcalf, 01/11/2010 12:08 PM
0001-Fix-issue-55.patch (1.59 KB) 0001-Fix-issue-55.patch Jason Ish, 01/12/2010 11:04 AM
0002-Require-that-the-configuration-file-begins-with-a-va.patch (9.83 KB) 0002-Require-that-the-configuration-file-begins-with-a-va.patch Jason Ish, 01/12/2010 11:43 AM
Actions
Copy link

Also available in: Atom PDF