[Bro] Segmentation fault while using own signature.
Seth Hall
seth at icir.org
Fri Jan 13 06:38:20 PST 2017
Hi Fatema,
Have you been able to get a stack trace? That would be the most helpful. I suspect that Dop is right though, the problem you're encountering with Bro crashing much be somewhere else. I have a hard time believing that this is the cause of the crash.
Another small note about the regular expressions you are writing is that Bro doesn't support the (?:abc) mechanism to prevent captures from occurring. You can leave out the "?:" when writing regular expressions. Bro has "flex-ish" regular expressions but it doesn't support all of the features that flex has.
.Seth
> On Jan 3, 2017, at 5:12 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Hi all,
>
> So I have a case where if I use following regex in sig file, it works, but when I edit it and make it more strict I get segmentation fault in like 5 minutes after bro gets normally started:
>
> The working version:
>
> signature rootkit-potential {
> payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
> event "Potential rootkit"
> tcp-state originator
> }
>
> signature rootkit-malware {
> payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
> event "rootkit malware"
> tcp-state originator
> }
>
> When I change regex to be more restrictive, Seg fault occurs:
>
> signature rootkit-potential {
> payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> event "Potential rootkit"
> tcp-state originator
> }
>
> signature rootkit-malware {
> payload /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> event "rootkit malware"
> tcp-state originator
> }
>
> Any idea what might be going wrong?
>
> Thanks,
> Fatema.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list