[Snort-devel] Snort 2.7 Segfaults w/bleeding-exploit

Steven Sturges steve.sturges at ...402...
Thu Jul 26 17:04:55 EDT 2007


Since the release of 2.7.0, we've had a few reports of issues
with certain rule options and Stream5.  We have checked fixes
into CVS SNORT_2_7_0 branch, and we are in the process of
putting together a source tarball and RPMs.  They will
be available in the next few days.

The rule options in question are TCP rules that have flowbits
with no associated content or other qualifying check prior
to the use of the flowbit.

In the interim, as a work-around, use stream4 in place of
stream5 or disable rules that have flowbits, but without
content or flow.

Thanks to rmkml, Koji Shikata, Anders Ostrem, Jeffrey Denton,
Matt Jonkman, and Bamm Visscher for reporting on the issues.

Let us know if you see any additional issues.

Happy Snorting!

Cheers.
-steve

Bamm Visscher wrote:
> Okay, so maybe not. Had some time to do more testing and at least two
> other rules cause problems:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
> EXPLOIT WMF Escape Record Exploit - Version 1";
> flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> threshold:type limit, track by_src, count 1,seconds 120;
> reference:url,www.frsirt.com/english/advisories/2005/3086;
> sid:2002758; rev:2;)
> 
> and
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
> EXPLOIT WMF Escape Record Exploit - Version 3";
> flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/";
> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
> threshold:type limit, track by_src, count 1,seconds 120;
> reference:url,www.frsirt.com/english/advisories/2005/3086;
> sid:2002742; rev:5;)
> 
> 
> One of the things that these rules have in common is that they all
> have three "flowbits:unset," directives.
> 
> Bammkkkk
> 
> 
> On 7/26/07, Bamm Visscher <bamm.visscher at ...2499...> wrote:
>> Looks like the issue is w/rules that use flowbits, but don't have
>> content: or flow:.
>>
>> Bammkkkk
>>
>>
>> On 7/25/07, Bamm Visscher <bamm.visscher at ...2499...> wrote:
>>> Out of curiousity, what specifically is causing the segfault with those rules?
>>>
>>>
>>> On 7/25/07, Todd Wease <twease at ...402...> wrote:
>>>> The segfault seems to be caused by these two rules in
>>>> bleeding-exploit.rules:
>>>>
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
>>>> WMF Escape Record Exploit - Version 1";
>>>> flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
>>>> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
>>>> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
>>>> threshold:type limit, track by_src, count 1,seconds 120;
>>>> reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002758;
>>>> rev:2;)
>>>>
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
>>>> WMF Escape Record Exploit - Version 3";
>>>> flowbits:isset,bleeding_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/";
>>>> flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
>>>> flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user;
>>>> threshold:type limit, track by_src, count 1,seconds 120;
>>>> reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742;
>>>> rev:5;)
>>>>
>>>>
>>>> I only tested the bleeding-exploit.rules file so I don't know if other rules
>>>> files might cause the same issue.  You should comment these out until we
>>>> find a solution to the issue.
>>>>
>>>> Thanks
>>>> Todd
>>>>
>>>>
>>>>
>>>> Todd Wease wrote:
>>>>> Bamm Visscher wrote:
>>>>>
>>>>>> I was testing 2.7.0 (Build 35) today and ran into a couple of issues.
>>>>>> The first is fairly simple.
>>>>>>
>>>>>> Initializing rule chains...
>>>>>> ERROR: /etc/snort/rules/bleeding-dos.rules (79): Invalid ICMP icode in
>>>>>> rule: >1<5
>>>>>> Fatal Error, Quitting..
>>>>>>
>>>>>>
>>>>> The correct syntax is
>>>>>
>>>>> 1<>5     /* between 1 and 5 */
>>>>>
>>>>> I don't think that '>1<5' was ever valid syntax.  It was just that Snort
>>>>> syntax error checking didn't catch it as invalid and was probably doing
>>>>> the wrong thing with it.
>>>>>
>>>>>
>>>>>> The below thread on snort-sigs seems to address the issue, not sure
>>>>>> when the change of syntax occurred
>>>>>>
>>>>>> [Snort-sigs] icode syntax (snort 2.7.0)
>>>>>> (http://archive.netbsd.se/?ml=snort-sigs&a=2007-07&m=4728221)
>>>>>>
>>>>>>
>>>>> This post didn't escape html special chars like '<'.  Disregard what you
>>>>> see.
>>>>>
>>>>>
>>>>>> The next issue is a bit different.
>>>>>>
>>>>>> Program received signal SIGSEGV, Segmentation fault.
>>>>>> 0x080bc81e in Stream5GetFlowData (p=0xbfe18e90) at spp_stream5.c:1277
>>>>>> 1277        return (StreamFlowData *)ssn->flowdata->data;
>>>>>>
>>>>>>
>>>>> Thanks for the heads up.  We're looking into it.
>>>>>
>>>>>
>>>>>> If I comment out bleeding-exploit.rules, everything works fine. Snort
>>>>>> doesn't complain with -T either.  I am getting ready to head out, so
>>>>>> if anyone else can confirm the issue, that'd be great. Otherwise I'll
>>>>>> try to track down what rule is triggering the issue when I can get
>>>>>> some more time.
>>>>>>
>>>>>> Bammkkkk
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>> Still grepping through log files to find problems?  Stop.
>>>>> Now Search log events and configuration files using AJAX and a browser.
>>>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>
>>>>
>>>
>>> --
>>> sguil - The Analyst Console for NSM
>>> http://sguil.sf.net
>>>
>>
>> --
>> sguil - The Analyst Console for NSM
>> http://sguil.sf.net
>>
> 
> 




More information about the Snort-devel mailing list