|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] Livelock with "nocase"
From: Erich Meier (Erich.Meier
informatik.uni-erlangen.de)Date: Tue Mar 07 2000 - 02:42:12 CST
- Next message: Ralf Hildebrandt: "Re: [snort] 1.6-beta11 available [CVS & WWW]"
- Previous message: Martin Roesch: "[snort] 1.6-beta11 available [CVS & WWW]"
- In reply to: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Next in thread: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: Erich Meier: "Re: [snort] Livelock with "nocase""
- Reply: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: John Wilson: "Re: [snort] Livelock with "nocase""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Mar 06, 2000 at 06:02:40PM -0500, Martin Roesch wrote:
> Well, it could just be a matter of the lack of a closing pipe leaving
> the content size counter too large/"unclosed" and the content matcher
> walking off the end of the rule. I've got to put in a check to make
> sure that those pipes get closed properly in the parser.....
This seems to be not the case. When properly closing the pattern with a pipe,
snort 1.6 beta11 nevertheless hangs.
The rule:
alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"DNS-version-query"; content:"version|04|bind|0000 1000 03|"; nocase;)
I ran it under the debugger. The stacktrace during the lifelock:
(dbx) where
=>[1] toupper(0xffffffff, 0x1, 0x62450, 0x1f65c, 0xef623180, 0x1c8dc), at 0xef5eb03c
[2] mSearchCI(0x5280c, 0x26, 0x5d328, 0x11, 0x63078, 0x63480), at 0x1c900
[3] CheckPatternMatch(0xeffff2e0, 0x627e0, 0x62490, 0x202fc, 0x824fc803, 0xffffff84), at 0x20364
[4] EvalOpts(0x627e0, 0xeffff2e0, 0x62420, 0x1f464, 0x0, 0x0), at 0x1efec
[5] EvalHeader(0x627a0, 0xeffff2e0, 0x11, 0x38c4bef9, 0xeffff124, 0x0), at 0x1ede0
[6] EvalPacket(0x4f2a8, 0x2, 0xeffff2e0, 0x38c4bef9, 0x83bc222d, 0x8), at 0x1ed9c
[7] Detect(0xeffff2e0, 0x21b74, 0xeffff2e0, 0x50, 0xfffffff8, 0xeffff6fc), at 0x1ed04
[8] Preprocess(0xeffff2e0, 0x527f0, 0x800, 0x1b8b4, 0x0, 0x0), at 0x1ebf4
[9] ProcessPacket(0x0, 0xeffff770, 0x527e2, 0x527e4, 0x527e3, 0x0), at 0x1726c
[10] pcap_read(0x50fc0, 0x50, 0x50, 0x52b9e, 0xef623180, 0x1ca9c), at 0x239f0
[11] pcap_loop(0x50fc0, 0xffffffff, 0x17138, 0x0, 0x9, 0xef598d28), at 0x24704
[12] main(0x4f2f0, 0xeffff8dc, 0xeffff904, 0x4ecf4, 0x0, 0x0), at 0x170c0
The pointers in mSearchCi point to:
(dbx) print (char *) 0x5280c
(char *) 337932 = 0x5280c "u\xd1"
(dbx) print (char *) 0x5d328
(char *) 381736 = 0x5d328 "VERSION^DBIND"
When I continue and break again, it is always the same pattern.
John, Marty, the rest, does this help?
Regards,
Erich
-- Erich Meier Erich.Meier
- Next message: Ralf Hildebrandt: "Re: [snort] 1.6-beta11 available [CVS & WWW]"
- Previous message: Martin Roesch: "[snort] 1.6-beta11 available [CVS & WWW]"
- In reply to: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Next in thread: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: Erich Meier: "Re: [snort] Livelock with "nocase""
- Reply: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: John Wilson: "Re: [snort] Livelock with "nocase""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]