App-layer-event and pcre questions

Recently, I received the following alerts.

ATTACK [PTsecurity] Buffer Overflow via Negative HTTP Chunk size number (FFMPEG CVE-2016-10190, WGET CVE-2017-13089, CVE-2017-13090)

the rule has two key words that I don’t understand

pcre: "/^\s*-[0-9A-Fa-f]+/Qs";
  1. What does the http.invalid_response_chunk_len mean? And how can i get all the
    app-layer-event informations?
  2. What is the last “s” mean in the pcre ?

I can’t find the instructions in the suricata ducoment.

For the last s in the pcre, I think it is to use PCRE2_DOTALL cf pcre2_compile specification and looking at the code detect-pcre.c

I guess this one is missing in the doc cf 6.7. Payload Keywords — Suricata 6.0.0 documentation

For the app-layer-event, it comes from libhtp log message "Response chunk encoding: Invalid chunk length" which means that htp_parse_chunked_length` parsed a negative number
There is no more information about the app-layer-event itself I think.

1 Like