[Snort-devel] Snort 2.7 Segfaults w/bleeding-exploit

Todd Wease twease at ...402...
Wed Jul 25 21:11:48 EDT 2007


The segfault seems to be caused by these two rules in bleeding-exploit.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
WMF Escape Record Exploit - Version 1";
flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
threshold:type limit, track by_src, count 1,seconds 120;
reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758;
rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
WMF Escape Record Exploit - Version 3";
flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/";
flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
threshold:type limit, track by_src, count 1,seconds 120;
reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742;
rev:5;)


I only tested the bleeding-exploit.rules file so I don't know if other rules files might cause the same issue.  You should comment these out until we find a solution to the issue.

Thanks
Todd



Todd Wease wrote:
> Bamm Visscher wrote:
>   
>> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
>> The first is fairly simple.
>>
>> Initializing rule chains...
>> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
>> rule: >1<5
>> Fatal Error, Quitting..
>>   
>>     
>
> The correct syntax is
>
> 1<>5     /* between 1 and 5 */
>
> I don't think that '>1<5' was ever valid syntax.  It was just that Snort
> syntax error checking didn't catch it as invalid and was probably doing
> the wrong thing with it.
>
>   
>> The below thread on snort-sigs seems to address the issue, not sure
>> when the change of syntax occurred
>>
>> [Snort-sigs] icode syntax (snort 2.7.0)
>> (http://archive.netbsd.se/?ml=snort-sigs&a=2007-07&m=4728221)
>>   
>>     
>
> This post didn't escape html special chars like '<'.  Disregard what you
> see.
>
>   
>> The next issue is a bit different.
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
>> 1277        return (StreamFlowData *)ssn->flowdata->data;
>>   
>>     
>
> Thanks for the heads up.  We're looking into it.
>
>   
>> If I comment out bleeding-exploit.rules, everything works fine. Snort
>> doesn't complain with -T either.  I am getting ready to head out, so
>> if anyone else can confirm the issue, that'd be great. Otherwise I'll
>> try to track down what rule is triggering the issue when I can get
>> some more time.
>>
>> Bammkkkk
>>
>>   
>>     
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>   





More information about the Snort-devel mailing list