On Fri, 20 Apr 2018, Chris Conn wrote:
WTF? If tflags=multiple is supported at all, it should behave properly
(i.e. not hitting over and over on the *same bit of text*).
maxhits was implemented after 3.3.1; is it possible that there are just a
*lot* of instances of "your business" in that test message, and it's simply
hitting all of them?
Can anyone else confirm this on 3.3.1? Run through a test message with
*one* instance of "your business" and get repeated hits on it in
__GENERATE_LEADS?
While __GENERATE_LEADS is recent, there are a lot of tflags=multiple rules
in the base ruleset that have been there for a long time - I'd expect this
to have come up much earlier.
I tested on Centos7 with sa-update done and rules compiled, this rule does
not trigger a loop.
You tested 3.3.1 on C7? Or the native 3.4.0, which does implement maxhits?
Are the SA 3.3.1 sources different between the C6 and C7 packages?
Hello,
To follow up; if I disable Rule2XSBody plugin (rule compilation), on Centos6
SA 3.3.1-3 there is no loop;
Whew!
however, with Rule2XSBody enabled, on SA 3.3.1 on Centos6, it loops forever.
Rats!
With or witout Rule2XSBody on Centos7 SA 3.4.0-2 bundled SA rpm, it works
correctly.
Yeah, because 3.4.x implements maxhits.
So, should I disable the __GENERATE_LEADS family for < 3.4.0? I suspect it
would be prudent, but I am surprised the other tflags=multiple rules
aren't also problematic in the same manner...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
[For Earth Day] Obama flew a 747 all the way to the Everglades
then rode in a massive SUV motorcade to tell you
to cut carbon emissions. -- Twitter satirist @hale_razor
-----------------------------------------------------------------------
2 days until Earth Day
