Hello everyone,
i’m trying to perform detection using the following rules/logic:
alert http any any → any any ( msg:“TEST entropy on base64_data”; flow:to_server,established; http.header; content:“X-”; fast_pattern; content:“:”; base64_decode: bytes 144, offset 1, relative; base64_data; entropy: value >= 6.0; flowbits: isset, single_custom_header; classtype:trojan-activity; sid:1000005; rev:1; )
But when i run suricata through command line on a generic pcap, i get the following:
suricata -S b64_entropy_test.rules -r generic_traffic.pcap
i: suricata: This is Suricata version 8.0.1 RELEASE running in USER mode
E: suricata: stacktrace:sig 11:__nss_database_lookup+0x0000378d;TimeDifferenceMicros+0x000000c9;HashListTableLookup+0x00000024;VarNameStoreRegister+0x00000060;DetectEngineRegisterTests+0x0000007c;DetectOffsetRegister+0x00001e3d;SigFree+0x00000425;SigFree+0x00001569;DetectEngineAppendSig+0x0000001a;IPOnlyRegisterTests+0x000003d5;IPOnlyRegisterTests+0x00000733;SigLoadSignatures+0x00000306;PostConfLoadedDetectSetup+0x00000179;SuricataInit+0x000001e5;main+0x00000063;__libc_init_first+0x0000008a;__libc_start_main+0x0000008b;_start+0x00000025
Segmentation fault
Context:
- Suricata version:
8.0.1 RELEASE - Operating system:
Ubuntu 24.04.3 LTS - Kernel:
6.5.0-1027-oem #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 25 13:32:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Suricata installed from Ubuntu repository using apt:
$ apt-cache policy suricata
suricata:
Installed: 1:8.0.1-0ubuntu0
Candidate: 1:8.0.1-0ubuntu0
Version table:
*** 1:8.0.1-0ubuntu0 500
500 https://ppa.launchpadcontent.net/oisf/suricata-stable/ubuntu noble/main amd64 Packages
100 /var/lib/dpkg/status
1:7.0.3-1build3 500
500 http://it.archive.ubuntu.com/ubuntu noble/universe amd64 Packages
$ apt show -a suricata
Package: suricata
Version: 1:8.0.1-0ubuntu0
Priority: optional
Section: net
Maintainer: Peter Manev <pmanev@oisf.net>
Installed-Size: 16,2 MB
Depends: libc6 (>= 2.38), libcap-ng0 (>= 0.7.9), libevent-2.1-7t64 (>= 2.1.8-stable), libevent-pthreads-2.1-7t64 (>= 2.1.8-stable), libgcc-s1 (>= 4.2), libhiredis1.1.0 (>= 1.2.0), libhyperscan5 (>= 5.4.2), libjansson4 (>= 2.14), liblz4-1 (>= 0.0~r127), libmagic1t64 (>= 5.12), libmaxminddb0 (>= 1.0.2), libnet1 (>= 1.1.5), libnetfilter-queue1 (>= 1.0.2), libnfnetlink0 (>= 1.0.2), libpcap0.8t64 (>= 1.0.0), libpcre2-8-0 (>= 10.22), libunwind8, libyaml-0-2, zlib1g (>= 1:1.2.3.4), lsb-base (>= 3.0-6), python3, python3-yaml, libluajit-5.1-common
Download-Size: 4.424 kB
APT-Manual-Installed: yes
APT-Sources: https://ppa.launchpadcontent.net/oisf/suricata-stable/ubuntu noble/main amd64 Packages
Description: Suricata open source multi-thread IDS/IPS/NSM system.
Suricata IDS/IPS/NSM
http://www.openinfosecfoundation.org/
http://planet.suricata-ids.org/
http://suricata-ids.org/
Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.
Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
This Engine supports:
Multi-Threading - provides for extremely fast and flexible operation on multicore systems.
File Extraction, MD5 matching - over 4000 file types recognized and extracted from live traffic.
TLS/SSL certificate matching/logging
IEEE 802.1ad (QinQ) and IEEE 802.1Q (VLAN) support
All JSON output/logging capability
NSM runmode
Automatic Protocol Detection (IPv4/6, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, DNS )
Gzip Decompression
Fast IP Matching
Hardware acceleration on CUDA GPU cards
and many more great features -
http://suricata-ids.org/features/all-features/
I’m using default configuration baundled with the package itself.