[Bro] Segmentation fault while using own signature.
Mike Dopheide
dopheide at gmail.com
Thu Jan 12 11:53:22 PST 2017
That's a good catch, I _think_ \d isn't supported, so you'll want to use
[0-9].
I've chatted with Fatema off-list and I don't think this is the problem
though. The \d should just cause the signature to not match correctly.
-Dop
On Thu, Jan 12, 2017 at 1:33 PM, Vlad Grigorescu <vladg at illinois.edu> wrote:
> I could be mistaken, but some of these don't look like correct escape
> sequences for Bro regular expressions.
>
> Check out the PATTERNS section of the flex documentation:
>
> http://dinosaur.compilertools.net/flex/manpage.html
>
> --Vlad
>
>
> fatema bannatwala <fatema.bannatwala at gmail.com> writes:
>
> > Hi all,
> >
> > So I have a case where if I use following regex in sig file, it works,
> but
> > when I edit it and make it more strict I get segmentation fault in like 5
> > minutes after bro gets normally started:
> >
> > The working version:
> >
> > signature rootkit-potential {
> > payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
> > event "Potential rootkit"
> > tcp-state originator
> > }
> >
> > signature rootkit-malware {
> > payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
> > event "rootkit malware"
> > tcp-state originator
> > }
> >
> > When I change regex to be more restrictive, Seg fault occurs:
> >
> > signature rootkit-potential {
> > payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> > event "Potential rootkit"
> > tcp-state originator
> > }
> >
> > signature rootkit-malware {
> > payload
> > /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\
> d{1,3}\|\d{1,5}).*/
> > event "rootkit malware"
> > tcp-state originator
> > }
> >
> > Any idea what might be going wrong?
> >
> > Thanks,
> > Fatema.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170112/eeead65c/attachment.html
More information about the Bro
mailing list