[Bro] Segmentation fault while using own signature.

[Seth Hall]

Hi Fatema,

Have you been able to get a stack trace?  That would be the most helpful.  I suspect that Dop is right though, the problem you're encountering with Bro crashing much be somewhere else.  I have a hard time believing that this is the cause of the crash.

Another small note about the regular expressions you are writing is that Bro doesn't support the (?:abc) mechanism to prevent captures from occurring.  You can leave out the "?:" when writing regular expressions.  Bro has "flex-ish" regular expressions but it doesn't support all of the features that flex has.

  .Seth

> On Jan 3, 2017, at 5:12 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> 
> Hi all,
> 
> So I have a case where if I use following regex in sig file, it works, but when I edit it and make it more strict I get segmentation fault in like 5 minutes after bro gets normally started:
> 
> The working version:
> 
> signature rootkit-potential {
>   payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
>   event "Potential rootkit"
>   tcp-state originator
> }
> 
> signature rootkit-malware {
>   payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
>   event "rootkit malware"
>   tcp-state originator
> }
> 
> When I change regex to be more restrictive, Seg fault occurs:
> 
> signature rootkit-potential {
>   payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
>   event "Potential rootkit"
>   tcp-state originator
> }
> 
> signature rootkit-malware {
>   payload /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
>   event "rootkit malware"
>   tcp-state originator
> }
> 
> Any idea what might be going wrong?
> 
> Thanks,
> Fatema.
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/