aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Actually limit recursion and backtracking and stack usage by PCRE. Logic was broken, no example was provided in suricata.yaml even though it could be set from there.

Browse Source
remotes/origin/master-1.1.x
William 14 years ago committed by Victor Julien
parent 61fe05b220
commit 6730c3ace1
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File

13
src/detect-pcre.c
Unescape Escape View File

@ -67,7 +67,8 @@
#define DEFAULT_MATCH_LIMIT 10000000 #define DEFAULT_MATCH_LIMIT 10000000
#define DEFAULT_MATCH_LIMIT_RECURSION 10000000 #define DEFAULT_MATCH_LIMIT_RECURSION 10000000
#define MATCH_LIMIT_DEFAULT 1500 #define SC_MATCH_LIMIT_DEFAULT 1500
#define SC_MATCH_LIMIT_RECURSION_DEFAULT 1500
static int pcre_match_limit = 0; static int pcre_match_limit = 0;
static int pcre_match_limit_recursion = 0; static int pcre_match_limit_recursion = 0;
@ -119,20 +120,22 @@ void DetectPcreRegister (void) {
intmax_t val = 0; intmax_t val = 0;
if (!ConfGetInt("pcre.match-limit", &val)) { if (!ConfGetInt("pcre.match-limit", &val)) {
pcre_match_limit = DEFAULT_MATCH_LIMIT; pcre_match_limit = SC_MATCH_LIMIT_DEFAULT;
} }
else { else {
pcre_match_limit = val; pcre_match_limit = val;
} }
SCLogInfo("Using PCRE match-limit setting of: %i", pcre_match_limit);
val = 0; val = 0;
if (!ConfGetInt("pcre.match-limit-recursion", &val)) { if (!ConfGetInt("pcre.match-limit-recursion", &val)) {
pcre_match_limit_recursion = DEFAULT_MATCH_LIMIT_RECURSION; pcre_match_limit_recursion = SC_MATCH_LIMIT_RECURSION_DEFAULT;
} }
else { else {
pcre_match_limit_recursion = val; pcre_match_limit_recursion = val;
} }
SCLogInfo("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
if(parse_regex == NULL) if(parse_regex == NULL)
@ -913,10 +916,10 @@ DetectPcreData *DetectPcreParse (char *regexstr)
} }
else { else {
pd->sd->match_limit = MATCH_LIMIT_DEFAULT; pd->sd->match_limit = SC_MATCH_LIMIT_DEFAULT;
pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT; pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT;
#ifndef NO_PCRE_MATCH_RLIMIT #ifndef NO_PCRE_MATCH_RLIMIT
pd->sd->match_limit_recursion = MATCH_LIMIT_DEFAULT; pd->sd->match_limit_recursion = SC_MATCH_LIMIT_RECURSION_DEFAULT;
pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION; pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
#endif /* NO_PCRE_MATCH_RLIMIT */ #endif /* NO_PCRE_MATCH_RLIMIT */
} }

5
suricata.yaml
Unescape Escape View File

@ -168,6 +168,11 @@ engine-analysis:
# enables printing reports for fast-pattern for every rule. # enables printing reports for fast-pattern for every rule.
rules-fast-pattern: yes rules-fast-pattern: yes
#recursion and match limits for PCRE where supported
pcre:
match-limit: 3500
match-limit-recursion: 1500
# You can specify a threshold config file by setting "threshold-file" # You can specify a threshold config file by setting "threshold-file"
# to the path of the threshold config file: # to the path of the threshold config file:
# threshold-file: /etc/suricata/threshold.config # threshold-file: /etc/suricata/threshold.config

Write Preview
Loading…
Cancel
Save