Giter VIP home page Giter VIP logo

Comments (9)

paulfariello avatar paulfariello commented on June 2, 2024

Hi,

it doesn't seems to be an error in your script. Could you run it with --debug flag and check which packet is segfaulting haka ?
Each packet is identified with a number (which is the same in pcap and haka).

Then, could you provide us the extracted http flow from your pcap ?

from haka.

jihadinho avatar jihadinho commented on June 2, 2024

So, here is what i've done.

root@System-U14LTS:~/work# tail -20 serdbg.out
debug packet:    dropping packet id=4393214
debug packet:    received packet id=4393215
debug states:    http: leave transition on state 'request'
debug states:    http: finish from state 'request'
debug states:    http: finish transition on state 'request'
alert: id = 3721718
        time = Mon Feb  8 14:45:45 2016
        severity = low
        description = no connection found for tcp packet
        sources = {
                address: 172.24.143.231
                service: tcp/5672
        }
        targets = {
                address: 10.10.30.49
                service: tcp/33752
        }
debug packet:    dropping packet id=4393215
debug packet:    received packet id=4393216  <<<< Here we get the segmentation fault

I extract frame number 4393216 with tshark:

4393216  66.934873 10.10.192.240 -> 10.17.8.15   DNS 81 Standard query 0xd132

So it's a DNS query, not a HTTP packet. I think there is no need to attach the UDP flow, since it's nothing unussual.

I have extracted the flow and applied the script on it without receiving the segmentation fault.
The problem seems more related to the size of the capture...

from haka.

paulfariello avatar paulfariello commented on June 2, 2024

Thanks, I'll try to reproduce with some big pcap files we have here.
If you can provide us the pcap file it would be of a great help.

from haka.

jihadinho avatar jihadinho commented on June 2, 2024

Unfortunately, due to security enforcement, I cannot provide the pcap. However, I think a big pcap with my script will reproduce the issue. If you don't manage to reproduce, let me know and I'll try to do it with another pcap(which i will be able to provide)

from haka.

mtalbi avatar mtalbi commented on June 2, 2024

We have reproduced a similar stack trace. We are investigating...

from haka.

paulfariello avatar paulfariello commented on June 2, 2024

Could you try with a debug build of haka so we can confirm we are working on the same issue ?

cmake -DBUILD=Debug <path-to-haka-source>
make localinstall
source out/env.sh
hakapcap

from haka.

paulfariello avatar paulfariello commented on June 2, 2024

Could you try with a fresh build of develop branch as baef121 fixes a bug with double free on http over reseted tcp stream.

from haka.

jihadinho avatar jihadinho commented on June 2, 2024

I've tried with your latest commit and it worked. It seems that's the root cause. I'll be testing with other pcap files so we can be sure.
Thanks

from haka.

paulfariello avatar paulfariello commented on June 2, 2024

Great !

By the way, you could speed up your script by compiling your regular expression outside the haka rule:

local rem = require("regexp/pcre")
local tcp_connection = require('protocol/tcp_connection')
local http = require('protocol/http')
http.install_tcp_rule(80)
http.install_tcp_rule(8080)
local re1 = rem.re:compile('^.*%.[^%%]+$', rem.re.CASE_INSENSITIVE)
local re2 = rem.re:compile("([^%/.]+)$|([^%/]+)(%.[^%/.]+)$", rem.re.CASE_INSENSITIVE)
haka.rule {
        hook = http.events.receive_data,
        options = {
        streamed = true,
        },
        eval = function (http, iter, dir)
        if http.request ~= nil then
                local split_uri = http.request.split_uri:normalize()
                if re1:match(http.request.uri) then
                        local res, startpos, endpos = re2:match(split_uri.path)
                        filename = string.sub(split_uri.path,startpos+1,endpos)
                        local file = io.open("/root/work/download/" .. filename, "w")
                        for sub in iter:foreach_available() do
                                file:write(sub:asstring())
                        end
                        file:close()
                end
        end
end
}

I'll close the issue, feel free to reopen if you encounter the segfault again.

from haka.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.