[Snort-devel] Snort 2.7 Segfaults w/bleeding-exploit

Matt Jonkman jonkman at ...2939...
Wed Jul 25 21:14:25 EDT 2007


I think that's good for the short term. Neither of these rules are
mission critical. There are better alternatives.

Doing so now, thanks Todd

Matt

Todd Wease wrote:
> The segfault seems to be caused by these two rules in bleeding-exploit.rules:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
> WMF Escape Record Exploit - Version 1";
> flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> threshold:type limit, track by_src, count 1,seconds 120;
> reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758;
> rev:2;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
> WMF Escape Record Exploit - Version 3";
> flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/";
> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> threshold:type limit, track by_src, count 1,seconds 120;
> reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742;
> rev:5;)
> 
> 
> I only tested the bleeding-exploit.rules file so I don't know if other rules files might cause the same issue.  You should comment these out until we find a solution to the issue.
> 
> Thanks
> Todd
> 
> 
> 
> Todd Wease wrote:
>> Bamm Visscher wrote:
>>   
>>> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
>>> The first is fairly simple.
>>>
>>> Initializing rule chains...
>>> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
>>> rule: >1<5
>>> Fatal Error, Quitting..
>>>   
>>>     
>> The correct syntax is
>>
>> 1<>5     /* between 1 and 5 */
>>
>> I don't think that '>1<5' was ever valid syntax.  It was just that Snort
>> syntax error checking didn't catch it as invalid and was probably doing
>> the wrong thing with it.
>>
>>   
>>> The below thread on snort-sigs seems to address the issue, not sure
>>> when the change of syntax occurred
>>>
>>> [Snort-sigs] icode syntax (snort 2.7.0)
>>> (http://archive.netbsd.se/?ml=snort-sigs&a=2007-07&m=4728221)
>>>   
>>>     
>> This post didn't escape html special chars like '<'.  Disregard what you
>> see.
>>
>>   
>>> The next issue is a bit different.
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
>>> 1277        return (StreamFlowData *)ssn->flowdata->data;
>>>   
>>>     
>> Thanks for the heads up.  We're looking into it.
>>
>>   
>>> If I comment out bleeding-exploit.rules, everything works fine. Snort
>>> doesn't complain with -T either.  I am getting ready to head out, so
>>> if anyone else can confirm the issue, that'd be great. Otherwise I'll
>>> try to track down what rule is triggering the issue when I can get
>>> some more time.
>>>
>>> Bammkkkk
>>>
>>>   
>>>     
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>   
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc






More information about the Snort-devel mailing list