Project

General

Profile

Actions
Copy link

Bug #10245

closed

PHP errors in snort package

Added by John Silva almost 5 years ago. Updated almost 5 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
02/08/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.5
Affected Plus Version:
Affected Architecture:

Description

Running 2.4.5-RC with Snort package.

Crash Reporter is reporting an error in the snort package. Crash report follows (edited for brevity - the report contains hundreds of duplicate lines):

Crash report begins.  Anonymous machine information:

amd64
11.3-STABLE
FreeBSD 11.3-STABLE #85 54b0ad59490(RELENG_2_4_5): Tue Feb  4 17:36:47 EST 2020     root@buildbot2-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/IuZS8Bew/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[08-Feb-2020 00:05:18 America/Los_Angeles] PHP Warning:  preg_match(): Unknown modifier 'I' in /usr/local/pkg/snort/snort.inc on line 2357
[remainder omitted]
Actions
Copy link
 #1

Updated by Bill Meeks almost 5 years ago

I don't believe this is a bug in the Snort package source code. I think it is instead a problem with your search term defined in your SID management configuration file.

The actual line of code in the Snort package is simply applying what it read from the SID management configuration file token to the text of the rule.

Can you post which particular SID management configuration you are using? I suspect it is a quoting/escaping issue in your search string.

Actions
Copy link
 #2

Updated by John Silva almost 5 years ago

I think you're correct. This isn't a bug in your code.

There are a couple of things going on.

First, my SID management config contains a number of complex PCRE operators that I copied over from a working config for suricata. Unlike the suricata package, the snort SID management code escapes these with preg_quote before passing them to preg_match. This breaks any actual use of PCRE with the pcre: operator. I haven't gotten round to creating a bug report for this yet.

As a workaround I had created a local patch for the snort package to remove the preg_quote operation. The suricata package doesn't do this escape, so this seemed harmless and allowed the pcre operators to work.

However, my config included this malformed regex:

pcre:metadata:.*deployment\s+(Datacenter/Internal).*signature_severity\s+(Critical|Major)

The wayward '/' in this pattern results in 'Internal' being interpreted as a pattern modifier, resulting in this error.

This particular issue can be closed since the behavior I reported is self-induced. I'm not sure why this didn't throw an error in 2.4.4-p3, however.

Actions
Copy link
 #3

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Not a Bug
Actions
Copy link

Also available in: Atom PDF