Project

General

Profile

Bug #10245

PHP errors in snort package

Added by John Silva 6 months ago. Updated 6 months ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
02/08/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5
Affected Architecture:

Description

Running 2.4.5-RC with Snort package.

Crash Reporter is reporting an error in the snort package. Crash report follows (edited for brevity - the report contains hundreds of duplicate lines):

Crash report begins.  Anonymous machine information:

amd64
11.3-STABLE
FreeBSD 11.3-STABLE #85 54b0ad59490(RELENG_2_4_5): Tue Feb  4 17:36:47 EST 2020     root@buildbot2-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/IuZS8Bew/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[remainder omitted]

History

#1 Updated by Bill Meeks 6 months ago

I don't believe this is a bug in the Snort package source code. I think it is instead a problem with your search term defined in your SID management configuration file.

The actual line of code in the Snort package is simply applying what it read from the SID management configuration file token to the text of the rule.

Can you post which particular SID management configuration you are using? I suspect it is a quoting/escaping issue in your search string.

#2 Updated by John Silva 6 months ago

I think you're correct. This isn't a bug in your code.

There are a couple of things going on.

First, my SID management config contains a number of complex PCRE operators that I copied over from a working config for suricata. Unlike the suricata package, the snort SID management code escapes these with preg_quote before passing them to preg_match. This breaks any actual use of PCRE with the pcre: operator. I haven't gotten round to creating a bug report for this yet.

As a workaround I had created a local patch for the snort package to remove the preg_quote operation. The suricata package doesn't do this escape, so this seemed harmless and allowed the pcre operators to work.

However, my config included this malformed regex:

pcre:metadata:.*deployment\s+(Datacenter/Internal).*signature_severity\s+(Critical|Major)

The wayward '/' in this pattern results in 'Internal' being interpreted as a pattern modifier, resulting in this error.

This particular issue can be closed since the behavior I reported is self-induced. I'm not sure why this didn't throw an error in 2.4.4-p3, however.

#3 Updated by Jim Pingle 6 months ago

  • Status changed from New to Not a Bug

Also available in: Atom PDF