[Bro] Segmentation fault while using own signature.

[Slagell, Adam J]

Not sure, it deserves a response and ticket if no one has done that. 

> On Jan 3, 2017, at 4:12 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> 
> Hi all,
> 
> So I have a case where if I use following regex in sig file, it works, but when I edit it and make it more strict I get segmentation fault in like 5 minutes after bro gets normally started:
> 
> The working version:
> 
> signature rootkit-potential {
>   payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
>   event "Potential rootkit"
>   tcp-state originator
> }
> 
> signature rootkit-malware {
>   payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
>   event "rootkit malware"
>   tcp-state originator
> }
> 
> When I change regex to be more restrictive, Seg fault occurs:
> 
> signature rootkit-potential {
>   payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
>   event "Potential rootkit"
>   tcp-state originator
> }
> 
> signature rootkit-malware {
>   payload /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
>   event "rootkit malware"
>   tcp-state originator
> }
> 
> Any idea what might be going wrong?
> 
> Thanks,
> Fatema.
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro