Did anyone follow up on this?
Vern
--- Begin Message ---
Hi all,
So I have a case where if I use following regex in sig file, it works, but
when I edit it and make it more strict I get segmentation fault in like 5
minutes after bro gets normally started:
The working version:
signature rootkit-potential {
payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
event "Potential rootkit"
tcp-state originator
}
signature rootkit-malware {
payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
event "rootkit malware"
tcp-state originator
}
When I change regex to be more restrictive, Seg fault occurs:
signature rootkit-potential {
payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
event "Potential rootkit"
tcp-state originator
}
signature rootkit-malware {
payload
/.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
event "rootkit malware"
tcp-state originator
}
Any idea what might be going wrong?
Thanks,
Fatema.
_______________________________________________
Bro mailing list
b...@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--- End Message ---
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
