[Snort-devel] Snort 2.7 Segfaults w/bleeding-exploit

Bamm Visscher bamm.visscher at ...2499...
Wed Jul 25 23:01:08 EDT 2007


Out of curiousity, what specifically is causing the segfault with those rules?


On 7/25/07, Todd Wease <twease at ...402...> wrote:
> The segfault seems to be caused by these two rules in
> bleeding-exploit.rules:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
> WMF Escape Record Exploit - Version 1";
> flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> threshold:type limit, track by_src, count 1,seconds 120;
> reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758;
> rev:2;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
> WMF Escape Record Exploit - Version 3";
> flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/";
> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> threshold:type limit, track by_src, count 1,seconds 120;
> reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742;
> rev:5;)
>
>
> I only tested the bleeding-exploit.rules file so I don't know if other rules
> files might cause the same issue.  You should comment these out until we
> find a solution to the issue.
>
> Thanks
> Todd
>
>
>
> Todd Wease wrote:
> > Bamm Visscher wrote:
> >
> >> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
> >> The first is fairly simple.
> >>
> >> Initializing rule chains...
> >> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
> >> rule: >1<5
> >> Fatal Error, Quitting..
> >>
> >>
> >
> > The correct syntax is
> >
> > 1<>5     /* between 1 and 5 */
> >
> > I don't think that '>1<5' was ever valid syntax.  It was just that Snort
> > syntax error checking didn't catch it as invalid and was probably doing
> > the wrong thing with it.
> >
> >
> >> The below thread on snort-sigs seems to address the issue, not sure
> >> when the change of syntax occurred
> >>
> >> [Snort-sigs] icode syntax (snort 2.7.0)
> >> (http://archive.netbsd.se/?ml=snort-sigs&a=2007-07&m=4728221)
> >>
> >>
> >
> > This post didn't escape html special chars like '<'.  Disregard what you
> > see.
> >
> >
> >> The next issue is a bit different.
> >>
> >> Program received signal SIGSEGV, Segmentation fault.
> >> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
> >> 1277        return (StreamFlowData *)ssn->flowdata->data;
> >>
> >>
> >
> > Thanks for the heads up.  We're looking into it.
> >
> >
> >> If I comment out bleeding-exploit.rules, everything works fine. Snort
> >> doesn't complain with -T either.  I am getting ready to head out, so
> >> if anyone else can confirm the issue, that'd be great. Otherwise I'll
> >> try to track down what rule is triggering the issue when I can get
> >> some more time.
> >>
> >> Bammkkkk
> >>
> >>
> >>
> >
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
>
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-devel mailing list