Security #2231
Updated by Victor Julien about 7 years ago
It is possible to make Suricata to perform lots of redundant checks on a content against a specially crafted network traffic with a certain signature. Search engine doesn't stop when it should after no match found and ends only on reaching inspection-recursion-limit (3000 by default). This issue was fixed in 4.0 branch likely with the following fix: https://redmine.openinfosecfoundation.org/issues/2101 Results of scanning a crafted PCAP against ET Open signature sid:2016204 Suricata 3.2.x-master: <pre> Stats for: total -------------------------------------------------------------------------------------------------------------------------------- Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- content 5479828 1510 1501 225789 3629.00 3632.00 3089.00 pcre 3836615439 1491 0 17232405 2573182.00 0.00 2573182.00 -------------------------------------------------------------------------------------------------------------------------------- </pre> Suricata 4.0: <pre> Stats for: total -------------------------------------------------------------------------------------------------------------------------------- Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- content 19060 4 3 8164 4765.00 5374.00 2936.00 pcre 2938616 1 0 2938616 2938616.00 0.00 2938616.00 -------------------------------------------------------------------------------------------------------------------------------- </pre> I've attached a sample pcap that I used for experiments