[Bro] Segmentation fault while using own signature.
fatema bannatwala
fatema.bannatwala at gmail.com
Tue Jan 3 14:12:27 PST 2017
Hi all,
So I have a case where if I use following regex in sig file, it works, but
when I edit it and make it more strict I get segmentation fault in like 5
minutes after bro gets normally started:
The working version:
signature rootkit-potential {
payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
event "Potential rootkit"
tcp-state originator
}
signature rootkit-malware {
payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
event "rootkit malware"
tcp-state originator
}
When I change regex to be more restrictive, Seg fault occurs:
signature rootkit-potential {
payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
event "Potential rootkit"
tcp-state originator
}
signature rootkit-malware {
payload
/.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
event "rootkit malware"
tcp-state originator
}
Any idea what might be going wrong?
Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170103/d1f6209e/attachment.html
More information about the Bro
mailing list