Attached a new patch. Please don't apply the older one. Fixed a small typo in the unittest. It should pass now.<br><br><div class="gmail_quote">On Sun, Jul 25, 2010 at 10:48 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:poonaatsoc@gmail.com">poonaatsoc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi rmkml. Can you please check it with this attached patch. Should fix it. Added an unittest to the patch as well.<div>
<div></div><div class="h5"><br><br><div class="gmail_quote">On Sun, Jul 25, 2010 at 1:21 AM, <span dir="ltr"><<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Ok Im found my "crash" sig:<br>
alert udp any any -> any any (msg:"crash"; byte_test:4,>,2,0;<br>
byte_jump:1,0,relative; sid:11; )<br>
Regards<br>
Rmkml<br>
<br>
<br>
Selon rmkml <<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>>:<br>
<br>
> thx for reply Victor,<br>
> no problemo:<br>
><br>
> ...<br>
> [20560] 24/7/2010 -- 16:23:13 - (detect.c:302) <Error> (DetectLoadSigFile) --<br>
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp<br>
> $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php<br>
> access"; flow:to_server,established; uricontent:"/shoutbox.php";<br>
> reference:nessus,11668; classtype:web-application-activity; sid:2142;<br>
> rev:1;)" from file /home/test/snort/rules/web-php.rules at line 94<br>
<div>> [20560] 24/7/2010 -- 16:23:14 - (detect-bytejump.c:594) <Error><br>
> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No<br>
> preceding content or uricontent or pcre option<br>
> *** glibc detected ***<br>
> /home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul201<br>
> 0/src/.libs/suricata: corrupted double-linked list: 0x0a51dea8 ***<br>
> ======= Backtrace: =========<br>
> /lib/libc.so.6[0xa9d06d]<br>
</div>> ...<br>
<div><div></div><div>><br>
> Regards<br>
> Rmkml<br>
><br>
><br>
><br>
> On Sat, 24 Jul 2010, Victor Julien wrote:<br>
><br>
> > Can you share the signature this is happening with? Privately if you<br>
> prefer.<br>
> ><br>
> > Cheers,<br>
> > Victor<br>
> ><br>
> > rmkml wrote:<br>
> >> Hi Victor,<br>
> >> Thx for your work and your time on this project!<br>
> >><br>
> >> I have "downloaded" (git clone) last Suricata version,<br>
> >> but I have a glibc error (git ead29dc6918f4524f1fae7e892d3f86dac117c0a):<br>
> >> ...<br>
> >> [20560] 24/7/2010 -- 16:23:14 - (detect-bytejump.c:594) <Error><br>
> >> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No<br>
> >> preceding content or uricontent or pcre option<br>
> >> *** glibc detected ***<br>
> >><br>
> /home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata:<br>
> >> corrupted double-linked list: 0x0a51dea8 ***<br>
> >> ======= Backtrace: =========<br>
> >> /lib/libc.so.6[0xa9d06d]<br>
> >> /lib/libc.so.6[0xa9eb2b]<br>
> >> /lib/libc.so.6(cfree+0x90)[0xaa2430]<br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata[0x807b0dd]<br>
> >><br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata[0x807c04a]<br>
> >><br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata[0x807c1fb]<br>
> >><br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata[0x806586e]<br>
> >><br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata[0x8065d4b]<br>
> >><br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata[0x804bc70]<br>
> >><br>
> >> /lib/libc.so.6(__libc_start_main+0xe0)[0xa4cf70]<br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata[0x804aa01]<br>
> >><br>
> >> ======= Memory map: ========<br>
> >> 0072c000-0073e000 r-xp 00000000 08:02 3700508 /lib/libz.so.1.2.3<br>
> >> 0073e000-0073f000 rw-p 00011000 08:02 3700508 /lib/libz.so.1.2.3<br>
> >> 00a18000-00a33000 r-xp 00000000 08:02 11817698 /lib/<a href="http://ld-2.6.so" target="_blank">ld-2.6.so</a><br>
> >> 00a33000-00a34000 r--p 0001a000 08:02 11817698 /lib/<a href="http://ld-2.6.so" target="_blank">ld-2.6.so</a><br>
> >> 00a34000-00a35000 rw-p 0001b000 08:02 11817698 /lib/<a href="http://ld-2.6.so" target="_blank">ld-2.6.so</a><br>
> >> 00a37000-00b85000 r-xp 00000000 08:02 11817699 /lib/<a href="http://libc-2.6.so" target="_blank">libc-2.6.so</a><br>
> >> 00b85000-00b87000 r--p 0014e000 08:02 11817699 /lib/<a href="http://libc-2.6.so" target="_blank">libc-2.6.so</a><br>
> >> 00b87000-00b88000 rw-p 00150000 08:02 11817699 /lib/<a href="http://libc-2.6.so" target="_blank">libc-2.6.so</a><br>
> >> 00b88000-00b8b000 rw-p 00000000 00:00 0<br>
> >> 00bbf000-00bd3000 r-xp 00000000 08:02 5434178 /lib/<a href="http://libpthread-2.6.so" target="_blank">libpthread-2.6.so</a><br>
> >> 00bd3000-00bd4000 r--p 00013000 08:02 5434178 /lib/<a href="http://libpthread-2.6.so" target="_blank">libpthread-2.6.so</a><br>
> >> 00bd4000-00bd5000 rw-p 00014000 08:02 5434178 /lib/<a href="http://libpthread-2.6.so" target="_blank">libpthread-2.6.so</a><br>
> >> 00bd5000-00bd7000 rw-p 00000000 00:00 0<br>
> >> 00bee000-00c17000 r-xp 00000000 08:02 2078837 /usr/lib/libpcap.so.0.9.7<br>
> >> 00c17000-00c19000 rw-p 00028000 08:02 2078837 /usr/lib/libpcap.so.0.9.7<br>
> >> 00c58000-00c7f000 r-xp 00000000 08:02 5434342 /lib/libpcre.so.0.0.1<br>
> >> 00c7f000-00c80000 rw-p 00026000 08:02 5434342 /lib/libpcre.so.0.0.1<br>
> >> 05db4000-05dbf000 r-xp 00000000 08:02 5434249<br>
> >> /lib/libgcc_s-4.1.2-20070925.so.1<br>
> >> 05dbf000-05dc0000 rw-p 0000a000 08:02 5434249<br>
> >> /lib/libgcc_s-4.1.2-20070925.so.1<br>
> >> 08048000-08100000 r-xp 00000000 08:02 1244073<br>
> >><br>
> /home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata<br>
> >><br>
> >> 08100000-08101000 rw-p 000b8000 08:02 1244073<br>
> >><br>
> /home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/src/.libs/suricata<br>
> >><br>
> >> 08101000-0a53d000 rw-p 00000000 00:00 0 [heap]<br>
> >> b7400000-b7421000 rw-p 00000000 00:00 0<br>
> >> b7421000-b7500000 ---p 00000000 00:00 0<br>
> >> b7594000-b771c000 rw-p 00000000 00:00 0<br>
> >> b771c000-b7737000 r-xp 00000000 08:02 11261710<br>
> >> /home/test/oisf_suricata_ids/yaml-0.1.3/src/.libs/libyaml-0.so.2.0.1<br>
> >> b7737000-b7738000 rw-p 0001a000 08:02 11261710<br>
> >> /home/test/oisf_suricata_ids/yaml-0.1.3/src/.libs/libyaml-0.so.2.0.1<br>
> >> b7748000-b7749000 rw-p 00000000 00:00 0<br>
> >> b7749000-b7758000 r-xp 00000000 08:02 654980<br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/libhtp/htp/.libs/libhtp-0.2.so.1.0.2<br>
> >><br>
> >> b7758000-b7759000 rw-p 0000e000 08:02 654980<br>
> >><br>
><br>
/home/test/oisf_suricata_ids/suricata-1.0.1pregit24jul2010/libhtp/htp/.libs/libhtp-0.2.so.1.0.2<br>
> >><br>
> >> b7759000-b775a000 rw-p 00000000 00:00 0<br>
> >> b775a000-b775b000 r-xp 00000000 00:00 0 [vdso]<br>
> >> bf96c000-bf98d000 rw-p 00000000 00:00 0 [stack]<br>
> >> Abandon<br>
> >><br>
> >> Regards<br>
> >> Rmkml<br>
> >><br>
> >><br>
> >><br>
> >> On Sat, 24 Jul 2010, Victor Julien wrote:<br>
> >><br>
> >>> <a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a> wrote:<br>
> >>>> I have new:<br>
> >>>> On git 21 jul, mem usage pb appear, but I have a small (revert)<br>
> >>>> change "resolv"<br>
> >>>> my pb, Move (back) this Line on if loop /* content */:<br>
> >>>> PatternMatchPreparePopulateMpm(de_ctx, sh);<br>
> >>>> #line 1081 in src/detect-engine-mpm.c<br>
> >>><br>
> >>> Thanks Rmkml. At this point I don't think there is anything wrong in the<br>
> >>> code there. The changes were done to fix some accuracy issues we were<br>
> >>> seeing.<br>
> >>><br>
> >>> I did cleanup the code a bit in the latest git master. I don't expect<br>
> >>> anything to change, but maybe you can try anyway :)<br>
> >>><br>
> >>> Cheers,<br>
> >>> Victor<br>
> >>><br>
> >>><br>
> >>> --<br>
> >>> ---------------------------------------------<br>
> >>> Victor Julien<br>
> >>> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> >>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> >>> ---------------------------------------------<br>
> >>><br>
> >>><br>
> ><br>
> ><br>
> > --<br>
> > ---------------------------------------------<br>
> > Victor Julien<br>
> > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > ---------------------------------------------<br>
> ><br>
> ><br>
><br>
><br>
<br>
<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org" target="_blank">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
</div></div></blockquote></div><br><br clear="all"><br></div></div>-- <br>Regards,<br><font color="#888888">Anoop Saldanha<br><br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Anoop Saldanha<br><br>