<div dir="ltr">Thanks all, the rule has been fixed and pushed to the download servers.<div><br></div><div>- Travis</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 19, 2017 at 2:56 AM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 19-07-17 10:34, Sascha Steinbiss wrote:<br>
> Hi all,<br>
><br>
>> Quick heads up: yesterdays ET update breaks on Hyperscan. Not sure which<br>
>> rule, or if it's Open or Pro only.<br>
><br>
> I've done some quick narrowing down using 'suricata -S' and the ET daily<br>
> changelog<br>
> (<a href="https://www.proofpoint.com/us/daily-ruleset-update-summary-20170718" rel="noreferrer" target="_blank">https://www.proofpoint.com/<wbr>us/daily-ruleset-update-<wbr>summary-20170718</a>).<br>
> Result: For me commenting out the rule with SID 2827194 in<br>
> etpro-mobile_malware.rules fixed the issue.<br>
<br>
</span>Great, thanks.<br>
<br>
The rule has 'dsize:21;' followed by a 22 byte pattern. So Hyperscan is<br>
correct.<br>
<br>
Suricata shouldn't crash like this of course, I opened<br>
<a href="https://redmine.openinfosecfoundation.org/issues/2187" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/<wbr>issues/2187</a> for that.<br>
<span class="im HOEnZb"><br>
--<br>
------------------------------<wbr>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/<wbr>victorjulien.asc</a><br>
------------------------------<wbr>---------------<br>
<br>
</span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>
</div>