[Bro] Segmentation fault while using own signature.

Mike Dopheide dopheide at gmail.com
Thu Jan 12 11:53:22 PST 2017 

That's a good catch, I _think_ \d isn't supported, so you'll want to use
[0-9].

I've chatted with Fatema off-list  and I don't think this is the problem
though.  The \d should just cause the signature to not match correctly.

-Dop

On Thu, Jan 12, 2017 at 1:33 PM, Vlad Grigorescu <vladg at illinois.edu> wrote:

> I could be mistaken, but some of these don't look like correct escape
> sequences for Bro regular expressions.
>
> Check out the PATTERNS section of the flex documentation:
>
> http://dinosaur.compilertools.net/flex/manpage.html
>
>   --Vlad
>
>
> fatema bannatwala <fatema.bannatwala at gmail.com> writes:
>
> > Hi all,
> >
> > So I have a case where if I use following regex in sig file, it works,
> but
> > when I edit it and make it more strict I get segmentation fault in like 5
> > minutes after bro gets normally started:
> >
> > The working version:
> >
> > signature rootkit-potential {
> >   payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
> >   event "Potential rootkit"
> >   tcp-state originator
> > }
> >
> > signature rootkit-malware {
> >   payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
> >   event "rootkit malware"
> >   tcp-state originator
> > }
> >
> > When I change regex to be more restrictive, Seg fault occurs:
> >
> > signature rootkit-potential {
> >   payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> >   event "Potential rootkit"
> >   tcp-state originator
> > }
> >
> > signature rootkit-malware {
> >   payload
> > /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\
> d{1,3}\|\d{1,5}).*/
> >   event "rootkit malware"
> >   tcp-state originator
> > }
> >
> > Any idea what might be going wrong?
> >
> > Thanks,
> > Fatema.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170112/eeead65c/attachment.html

More information about the Bro mailing list