sagan icon indicating copy to clipboard operation
sagan copied to clipboard
verified publisher icon beave

Sagan faults with large input and certain pcre rules.

Open beave opened this issue 7 years ago • 0 comments

Describe the bug

libpcre faults when dealing with certain types of expressions. For example:

pcre: "/^((?!Account Name: (.)$ ).)$/";

Will work fine with smaller strings, but fault on large input. This was encountered when on sid 500343.

To Reproduce Steps to reproduce the behavior:

  1. Enabled rule with the pcre above.
  2. using "logger" and "seq" send a large string.
  3. Sagan gets a fault

See this link for a similar described problem. This likely is a recursive limitation issue in the "match" function of PCRE. Non-JIT causes a crash, while JIT causes a miss (no match / falsely)

beave avatar Aug 21 '18 15:08 beave