In Suricata before 4.x, it was possible to trigger lots of redundant checks on the content of crafted network traffic with a certain signature, because of DetectEngineContentInspection in detect-engine-content-inspection.c. The search engine doesnt stop when it should after no match is found; instead, it stops only upon reaching inspection-recursion-limit (3000 by default).
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Suricata | Openinfosecfoundation | * | 3.2.4 (including) |
| Suricata | Ubuntu | artful | * |
| Suricata | Ubuntu | bionic | * |
| Suricata | Ubuntu | cosmic | * |
| Suricata | Ubuntu | disco | * |
| Suricata | Ubuntu | eoan | * |
| Suricata | Ubuntu | esm-apps/bionic | * |
| Suricata | Ubuntu | esm-apps/xenial | * |
| Suricata | Ubuntu | trusty | * |
| Suricata | Ubuntu | upstream | * |
| Suricata | Ubuntu | xenial | * |
| Suricata | Ubuntu | zesty | * |
References
- https://github.com/OISF/suricata/commit/b9579fbe7dd408200ef03cbe20efddb624b73885
- https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html
- https://redmine.openinfosecfoundation.org/issues/2231
- https://github.com/OISF/suricata/commit/b9579fbe7dd408200ef03cbe20efddb624b73885
- https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html
- https://redmine.openinfosecfoundation.org/issues/2231