App-layer-event and pcre questions

Black5ugar · May 11, 2022, 6:24am

hi,
Recently, I received the following alerts.

ATTACK [PTsecurity] Buffer Overflow via Negative HTTP Chunk size number (FFMPEG CVE-2016-10190, WGET CVE-2017-13089, CVE-2017-13090)

the rule has two key words that I don’t understand

app-layer-event:http.invalid_response_chunk_len; 
pcre: "/^\s*-[0-9A-Fa-f]+/Qs";

What does the http.invalid_response_chunk_len mean? And how can i get all the
app-layer-event informations？
What is the last “s” mean in the pcre ?

I can’t find the instructions in the suricata ducoment.

Philippe_Antoine · May 13, 2022, 6:57am

For the last s in the pcre, I think it is to use PCRE2_DOTALL cf pcre2_compile specification and looking at the code detect-pcre.c

I guess this one is missing in the doc cf 6.7. Payload Keywords — Suricata 6.0.0 documentation

For the app-layer-event, it comes from libhtp log message "Response chunk encoding: Invalid chunk length" which means that htp_parse_chunked_length` parsed a negative number
There is no more information about the app-layer-event itself I think.

Topic		Replies	Views
Segfaulting after a change to http/dns rules set Help	3	331	February 26, 2021
Help understanding a rule Rules community	4	2207	May 5, 2021
Restrict PCRE to Http Header Only	6	280	November 6, 2023
Stream_size vs flow bytes_toserver Rules	3	1245	December 1, 2021
Unexpected behavior on depth/offset modifiers Developers	1	505	November 17, 2021

App-layer-event and pcre questions

Related Topics