Project

General

Profile

Actions

Bug #6201

closed

multi-tenancy: crash under test mode when tenant signature load fails

Added by Jeff Lucovsky over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When running Suricata under test mode and multi-tenancy configured, a crash often occurs when signature loading fails.

When using a tenant configuration file that lacks a definition for DNP3_SERVER and the tenant's configuration specifies a ETPro rule file from early 2023, the following error message is printed, the signature is rejected, and test mode "fails":

5/7/2023 -- 13:26:27 - <Error> - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DNP3_SERVER" is not defined in configuration file
5/7/2023 -- 13:26:27 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any <> $DNP3_SERVER <redacted>" 
5/7/2023 -- 13:26:45 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

Then, this crash occurs:

Thread 15 "DL#02" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe89ff640 (LWP 2053)]
VariableNameGetIdx (type=VAR_TYPE_FLOW_BIT, name=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", v=0x0) at util-var-name.c:190
190        VariableName *lookup_fn = (VariableName *)HashListTableLookup(v->names, (void *)fn, 0);
(gdb) p v
$1 = (VarNameStore *) 0x0
(gdb) bt
#0  VariableNameGetIdx (type=VAR_TYPE_FLOW_BIT, name=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", v=0x0) at util-var-name.c:190
#1  VarNameStoreSetupAdd (name=name@entry=0x7fffe89e8b80 "ETPRO.slenfbot_g_pass", type=type@entry=VAR_TYPE_FLOW_BIT) at util-var-name.c:327
#2  0x00005555556ef29d in DetectFlowbitParse (de_ctx=0x7fffe7c04000, rawstr=<optimized out>, cdout=cdout@entry=0x7fffe89e8cd0) at detect-flowbits.c:313
#3  0x00005555556ef42f in DetectFlowbitSetup (de_ctx=<optimized out>, s=0x7fffaa437a40, rawstr=<optimized out>) at detect-flowbits.c:335
#4  0x0000555555706798 in SigParseOptions (output_size=275, output=0x7fffe89e8d00 "", optstr=0x7fffe89e8e21 "flowbits", s=0x7fffaa437a40,
    de_ctx=0x7fffe7c04000) at detect-parse.c:815
#5  SigParse (parser=0x7fffe89e8fb0, addrs_direction=<optimized out>, sigstr=0x7fffe89faff0 "\260\260\237\350\377\177", s=<optimized out>,
    de_ctx=<optimized out>) at detect-parse.c:1251
#6  SigInitHelper (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"..., dir=dir@entry=0 '\000') at detect-parse.c:1910
#7  0x00005555557079e2 in SigInit (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"...) at detect-parse.c:2079
#8  0x0000555555707bb7 in DetectEngineAppendSig (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sigstr=sigstr@entry=0x7fffe89fb0b0 "alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:\"ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2\"; flow:to_server,established; content:\"PASS xxx|0D|\"; depth:9; nocase; flowbits:set,ETPRO.slenfbot_g_pass"...) at detect-parse.c:2377
#9  0x00005555556dbeab in DetectLoadSigFile (de_ctx=de_ctx@entry=0x7fffe7c04000,
    sig_file=sig_file@entry=0x7fffe7c034f0 "/tmp/etc/suricata/rules/tenant-2.rules", goodsigs=goodsigs@entry=0x7fffe89fd1c8, badsigs=0x7fffe89fb0b0,
    badsigs@entry=0x7fffe89fd1cc) at detect-engine-loader.c:169
#10 0x00005555556dc208 in ProcessSigFiles (de_ctx=de_ctx@entry=0x7fffe7c04000, pattern=pattern@entry=0x7fffe7c034c0 "/tmp/etc/suricata/rules/tenant-2.rules",
    st=st@entry=0x7fffe7c05410, good_sigs=good_sigs@entry=0x7fffe89fd1c8, bad_sigs=bad_sigs@entry=0x7fffe89fd1cc) at detect-engine-loader.c:252
#11 0x00005555556dc9c6 in SigLoadSignatures (de_ctx=de_ctx@entry=0x7fffe7c04000, sig_file=sig_file@entry=0x0, sig_file_exclusive=sig_file_exclusive@entry=0)
    at detect-engine-loader.c:312
#12 0x00005555556c7bd6 in DetectEngineMultiTenantLoadTenant (loader_id=1, filename=<optimized out>, tenant_id=2) at detect-engine.c:3348
#13 DetectLoaderFuncLoadTenant (vctx=<optimized out>, loader_id=1) at detect-engine.c:3429
#14 0x00005555556dc3fb in DetectLoader (thread_data=<optimized out>, th_v=<optimized out>) at detect-engine-loader.c:593
#15 DetectLoader (th_v=0x7ffff1a768c0, thread_data=0x7fffe7c00000) at detect-engine-loader.c:572
#16 0x0000555555782a43 in TmThreadsManagement (td=0x7ffff1a768c0) at tm-threads.c:562
#17 0x00007ffff64abf3e in start_thread (arg=0x7fffe89ff640) at pthread_create.c:463
#18 0x00007ffff69f114f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95


Subtasks 1 (0 open1 closed)

Bug #6248: Multi-tenancy: crash under test mode when tenant signature load fails (6.0.x backport)ClosedJeff LucovskyActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #6044: detect: multi-tenancy leaks memory if more than 1 tenant registeredClosedVictor JulienActions
Actions #1

Updated by Victor Julien over 1 year ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 7.0.1
  • Label Needs backport to 6.0 added
Actions #2

Updated by OISF Ticketbot over 1 year ago

  • Subtask #6248 added
Actions #3

Updated by OISF Ticketbot over 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #4

Updated by Victor Julien over 1 year ago

  • Related to Bug #6044: detect: multi-tenancy leaks memory if more than 1 tenant registered added
Actions #5

Updated by Victor Julien over 1 year ago

  • Subject changed from Multi-tenancy: crash under test mode when tenant signature load fails to multi-tenancy: crash under test mode when tenant signature load fails
  • Status changed from In Progress to In Review
Actions #6

Updated by Victor Julien over 1 year ago

  • Status changed from In Review to Resolved
Actions #7

Updated by Victor Julien about 1 year ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF