[Snort-devel] Snort 2.7 Segfaults w/bleeding-exploit

Bamm Visscher bamm.visscher at ...2499...
Thu Jul 26 16:51:49 EDT 2007


Okay, so maybe not. Had some time to do more testing and at least two
other rules cause problems:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT WMF Escape Record Exploit - Version 1";
flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
threshold:type limit, track by_src, count 1,seconds 120;
reference:url,www.frsirt.com/english/advisories/2005/3086;
sid:2002758; rev:2;)

and

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT WMF Escape Record Exploit - Version 3";
flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/";
flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
threshold:type limit, track by_src, count 1,seconds 120;
reference:url,www.frsirt.com/english/advisories/2005/3086;
sid:2002742; rev:5;)


One of the things that these rules have in common is that they all
have three "flowbits:unset," directives.

Bammkkkk


On 7/26/07, Bamm Visscher <bamm.visscher at ...2499...> wrote:
> Looks like the issue is w/rules that use flowbits, but don't have
> content: or flow:.
>
> Bammkkkk
>
>
> On 7/25/07, Bamm Visscher <bamm.visscher at ...2499...> wrote:
> > Out of curiousity, what specifically is causing the segfault with those rules?
> >
> >
> > On 7/25/07, Todd Wease <twease at ...402...> wrote:
> > > The segfault seems to be caused by these two rules in
> > > bleeding-exploit.rules:
> > >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
> > > WMF Escape Record Exploit - Version 1";
> > > flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
> > > flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> > > flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> > > threshold:type limit, track by_src, count 1,seconds 120;
> > > reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758;
> > > rev:2;)
> > >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
> > > WMF Escape Record Exploit - Version 3";
> > > flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/";
> > > flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> > > flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> > > threshold:type limit, track by_src, count 1,seconds 120;
> > > reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742;
> > > rev:5;)
> > >
> > >
> > > I only tested the bleeding-exploit.rules file so I don't know if other rules
> > > files might cause the same issue.  You should comment these out until we
> > > find a solution to the issue.
> > >
> > > Thanks
> > > Todd
> > >
> > >
> > >
> > > Todd Wease wrote:
> > > > Bamm Visscher wrote:
> > > >
> > > >> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
> > > >> The first is fairly simple.
> > > >>
> > > >> Initializing rule chains...
> > > >> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
> > > >> rule: >1<5
> > > >> Fatal Error, Quitting..
> > > >>
> > > >>
> > > >
> > > > The correct syntax is
> > > >
> > > > 1<>5     /* between 1 and 5 */
> > > >
> > > > I don't think that '>1<5' was ever valid syntax.  It was just that Snort
> > > > syntax error checking didn't catch it as invalid and was probably doing
> > > > the wrong thing with it.
> > > >
> > > >
> > > >> The below thread on snort-sigs seems to address the issue, not sure
> > > >> when the change of syntax occurred
> > > >>
> > > >> [Snort-sigs] icode syntax (snort 2.7.0)
> > > >> (http://archive.netbsd.se/?ml=snort-sigs&a=2007-07&m=4728221)
> > > >>
> > > >>
> > > >
> > > > This post didn't escape html special chars like '<'.  Disregard what you
> > > > see.
> > > >
> > > >
> > > >> The next issue is a bit different.
> > > >>
> > > >> Program received signal SIGSEGV, Segmentation fault.
> > > >> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
> > > >> 1277        return (StreamFlowData *)ssn->flowdata->data;
> > > >>
> > > >>
> > > >
> > > > Thanks for the heads up.  We're looking into it.
> > > >
> > > >
> > > >> If I comment out bleeding-exploit.rules, everything works fine. Snort
> > > >> doesn't complain with -T either.  I am getting ready to head out, so
> > > >> if anyone else can confirm the issue, that'd be great. Otherwise I'll
> > > >> try to track down what rule is triggering the issue when I can get
> > > >> some more time.
> > > >>
> > > >> Bammkkkk
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > > -------------------------------------------------------------------------
> > > > This SF.net email is sponsored by: Splunk Inc.
> > > > Still grepping through log files to find problems?  Stop.
> > > > Now Search log events and configuration files using AJAX and a browser.
> > > > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel at lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> > >
> > >
> >
> >
> > --
> > sguil - The Analyst Console for NSM
> > http://sguil.sf.net
> >
>
>
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-devel mailing list