[Bro] Segmentation fault while using own signature.
Slagell, Adam J
slagell at illinois.edu
Wed Jan 11 16:16:17 PST 2017
Not sure, it deserves a response and ticket if no one has done that.
> On Jan 3, 2017, at 4:12 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Hi all,
>
> So I have a case where if I use following regex in sig file, it works, but when I edit it and make it more strict I get segmentation fault in like 5 minutes after bro gets normally started:
>
> The working version:
>
> signature rootkit-potential {
> payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
> event "Potential rootkit"
> tcp-state originator
> }
>
> signature rootkit-malware {
> payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
> event "rootkit malware"
> tcp-state originator
> }
>
> When I change regex to be more restrictive, Seg fault occurs:
>
> signature rootkit-potential {
> payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> event "Potential rootkit"
> tcp-state originator
> }
>
> signature rootkit-malware {
> payload /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> event "rootkit malware"
> tcp-state originator
> }
>
> Any idea what might be going wrong?
>
> Thanks,
> Fatema.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list