Snort mailing list archives
PCRE recursion limit override related segv...
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 31 Aug 2012 14:19:15 -0500
Seems overriding recursion limits via /O can cause a segv under some circumstances. While you would never actually want a rule like this it makes the bug easy to trigger :). Here I just processed a pcap of a HTTP session containing download of the PDF spec from adobe and loading this rule. PCAP is 10mb or so... Let me know if you need it. http://partners.adobe.com/public/developer/en/pdf/PDFReference.pdf alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Smell that? You smell that? What? Recursion son Nothing in the World Smells like that"; flow:established,from_server; pcre:"/obj((?!I Love the Smell of Recursion in the Morning).)+endobj/Os"; classtype:attempted-user; sid:88; rev:1;) [ Number of patterns truncated to 20 bytes: 0 ] pcap DAQ configured to read-file. Acquiring network traffic from "/storage/pdfspecdownload.pcap". Reload thread starting... Reload thread started, thread 0x7fd08bb11700 (15342) WARNING: active responses disabled since DAQ can't inject packets. --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.3.1 IPv6 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.16 <Build 18> Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3> Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1> Commencing packet processing (pid=15342) Segmentation fault (core dumped) stdout: #0 match (eptr=0x2a0aa1f "Columns\n07\n/Colors 3>>\nID x\234c,\232}\260o\335y\006\242\201\271\206\004", ecode=0x28d0e75 "Y", mstart=0x2a08e7b "stream\nq 0.1 0 0 0.1 0 0 cm\n/R7 gs\n/R9 CS\n0 SCN\n/R9 cs\n0 scn\nq\n10 0 0 10 0 0 cm BT\n/R10 8.46 Tf\n0.998057 0 0 1 305.76 757.56 Tm\n( )Tj\n/R10 7.55724 Tf\n0.998126 0 0 1 65.6398 44.8801 Tm\n[(2)-0.801873( )"..., markptr=0x0, offset_top=4, md=0x7fff4fe1b9a0, ims=4, eptrb=0x0, flags=0, rdepth=14139) at pcre_exec.c:473 473 pcre_exec.c: No such file or directory. (gdb) but full Undefined command: "but". Try "help". (gdb) bt full #0 match (eptr=0x2a0aa1f "Columns\n07\n/Colors 3>>\nID x\234c,\232}\260o\335y\006\242\201\271\206\004", ecode=0x28d0e75 "Y", mstart=0x2a08e7b "stream\nq 0.1 0 0 0.1 0 0 cm\n/R7 gs\n/R9 CS\n0 SCN\n/R9 cs\n0 scn\nq\n10 0 0 10 0 0 cm BT\n/R10 8.46 Tf\n0.998057 0 0 1 305.76 757.56 Tm\n( )Tj\n/R10 7.55724 Tf\n0.998126 0 0 1 65.6398 44.8801 Tm\n[(2)-0.801873( )"..., markptr=0x0, offset_top=4, md=0x7fff4fe1b9a0, ims=4, eptrb=0x0, flags=0, rdepth=14139) at pcre_exec.c:473 rrc = <optimized out> i = <optimized out> c = <optimized out> utf8 = <optimized out> minimize = <optimized out> possessive = <optimized out> condcode = <optimized out> charptr = <optimized out> callpat = <optimized out> data = <optimized out> next = <optimized out> pp = <optimized out> prev = <optimized out> saved_eptr = <optimized out> new_recursive = <error reading variable new_recursive (Cannot access memory at address 0x7fff4f61ffb0)> cur_is_word = <optimized out> condition = <optimized out> prev_is_word = <optimized out> original_ims = <optimized out> prop_type = <optimized out> prop_value = <optimized out> prop_fail_result = <optimized out> prop_category = <optimized out> prop_chartype = <optimized out> oclength = <optimized out> occhars = <error reading variable occhars (Cannot access memory at address 0x7fff4f61fff0)> codelink = <optimized out> ctype = <optimized out> length = <optimized out> max = <optimized out> min = <optimized out> number = <optimized out> offset = <optimized out> op = <optimized out> save_capture_last = <optimized out> save_offset1 = <optimized out> save_offset2 = <optimized out> save_offset3 = <optimized out> stacksave = <error reading variable stacksave (Cannot access memory at address 0x7fff4f61fef0)> newptrb = <error reading variable newptrb (Cannot access memory at address 0x7fff4f61ffe0)> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PCRE recursion limit override related segv... Will Metcalf (Aug 31)
- Re: PCRE recursion limit override related segv... Joel Esler (Aug 31)
- Re: PCRE recursion limit override related segv... Joel Esler (Aug 31)
- Re: PCRE recursion limit override related segv... Steven Sturges (Aug 31)
- Re: PCRE recursion limit override related segv... Will Metcalf (Aug 31)
- Re: PCRE recursion limit override related segv... Joel Esler (Aug 31)