Giters

jasonish / py-idstools

idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Parsing a badly-formatted rule ends in seg fault

imbellish opened this issue · comments

commented

To reproduce:

>>> from idstools import rule
>>> rule.parse_file('snort.rules')

NOTE: the second rule is missing a semi-colon after metadata, an obvious cause, but a typo on my part.

snort.rules

 drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; )
 alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; gid:0; sid:10000001; rev:1; classtype: icmp-event; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop)
 alert ip any any -> any any (msg: "IP Packet detected"; gid:0; sid:10000002; rev:1; classtype:icmp-event; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop;)
 alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; )

Version information:
I tested this out on two different python versions since seg faults are unusual. Not sure if it affects python 3 but I'd guess that it does.

  • Python 2.7.6, 2.7.9
  • idstools 0.6.1, 0.6.2
commented

Thanks. This should be fixed in master now.