[Bro] Segmentation fault while using own signature.
Vlad Grigorescu
vladg at illinois.edu
Thu Jan 12 11:33:55 PST 2017
I could be mistaken, but some of these don't look like correct escape sequences for Bro regular expressions.
Check out the PATTERNS section of the flex documentation:
http://dinosaur.compilertools.net/flex/manpage.html
--Vlad
fatema bannatwala <fatema.bannatwala at gmail.com> writes:
> Hi all,
>
> So I have a case where if I use following regex in sig file, it works, but
> when I edit it and make it more strict I get segmentation fault in like 5
> minutes after bro gets normally started:
>
> The working version:
>
> signature rootkit-potential {
> payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
> event "Potential rootkit"
> tcp-state originator
> }
>
> signature rootkit-malware {
> payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
> event "rootkit malware"
> tcp-state originator
> }
>
> When I change regex to be more restrictive, Seg fault occurs:
>
> signature rootkit-potential {
> payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> event "Potential rootkit"
> tcp-state originator
> }
>
> signature rootkit-malware {
> payload
> /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> event "rootkit malware"
> tcp-state originator
> }
>
> Any idea what might be going wrong?
>
> Thanks,
> Fatema.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170112/03eacd66/attachment.bin
More information about the Bro
mailing list