Suricata

On Ubuntu 22.04.1 LTS, if you configure Suricata systemd service file with the following security hardening settings "MemoryDenyWriteExecute=true" the suricata Service will crash with a segmentation fault once the PCRE engine is triggerd to compile a PCRE found in a rule using JIT.

to reproduce this issue please follow these steps:

1. install suricata 6.0.9 from ppa:oisf/suricata-stable on Ubuntu 22.04.1 LTS
2. configure suricata to listen to the interface
3. configure suricata with the following rule
   

   alert ip any any -> any any (msg:"crash test"; content:"test"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:1;)
   

4. use the following systemd file to run suricata service, place it in: /lib/systemd/system/suricata.service
   

   # IDSTower Suricata systemd unit file.
   [Unit]
   Description=IDSTower Suricata Service
   After=syslog.target network-online.target systemd-tmpfiles-setup.service
   Documentation=man:suricata(1)
   
   [Service]
   ExecStartPre=/bin/rm -f /etc/suricata/suricata.pid
   ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /etc/suricata/suricata.pid --af-packet -vvv
   ExecReload=/bin/kill -USR2 $MAINPID
   
   ### Security Settings ###
   MemoryDenyWriteExecute=true
   LockPersonality=true
   ProtectControlGroups=true
   ProtectKernelModules=true
   
   [Install]
   WantedBy=multi-user.target
   

Note: this is the same systemd service file avaiable in Suricata Redhat/CentOS RPMs

#create a txt file named trigger.txt containing the word test on another machine

user@idstowerubuntu22:~$ cat trigger.txt
test

#start a simple python server to serve trigger.txt and curl it from the suricata machine

python -m http.server

curl -X GET http://192.168.3.242:8000/trigger.txt

#Suricata service will crash

running: sudo dmesg -T