<div dir="ltr">I also saw this on my local 3.2.1:<div><br></div><div>This is Suricata version <span style="background:rgb(34,255,0)">3.2.1</span> RELEASE<br></div><div>...</div><div>18/7/2017 -- 23:01:23 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - compile error: Expression has max_offset=21 but requires 22 bytes to match.<br><br>This is in socket mode.  I didn't get this error doing local pcaps with a small local ruleset.  I also didn't see the error in local mode with latest git (rev 3063851).</div><div><br></div><div>I haven't had a chance to test more than that.</div><div><br></div><div>FT</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 19, 2017 at 7:14 AM, Travis Green <span dir="ltr"><<a href="mailto:travis@travisgreen.net" target="_blank">travis@travisgreen.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks all, the rule has been fixed and pushed to the download servers.<div><br></div><div>- Travis</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Wed, Jul 19, 2017 at 2:56 AM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 19-07-17 10:34, Sascha Steinbiss wrote:<br>
> Hi all,<br>
><br>
>> Quick heads up: yesterdays ET update breaks on Hyperscan. Not sure which<br>
>> rule, or if it's Open or Pro only.<br>
><br>
> I've done some quick narrowing down using 'suricata -S' and the ET daily<br>
> changelog<br>
> (<a href="https://www.proofpoint.com/us/daily-ruleset-update-summary-20170718" rel="noreferrer" target="_blank">https://www.proofpoint.com/us<wbr>/daily-ruleset-update-summary-<wbr>20170718</a>).<br>
> Result: For me commenting out the rule with SID 2827194 in<br>
> etpro-mobile_malware.rules fixed the issue.<br>
<br>
</span>Great, thanks.<br>
<br>
The rule has 'dsize:21;' followed by a 22 byte pattern. So Hyperscan is<br>
correct.<br>
<br>
Suricata shouldn't crash like this of course, I opened<br>
<a href="https://redmine.openinfosecfoundation.org/issues/2187" rel="noreferrer" target="_blank">https://redmine.openinfosecfou<wbr>ndation.org/issues/2187</a> for that.<br>
<span class="m_2102464205080121798im m_2102464205080121798HOEnZb"><br>
--<br>
------------------------------<wbr>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victor<wbr>julien.asc</a><br>
------------------------------<wbr>---------------<br>
<br>
</span><div class="m_2102464205080121798HOEnZb"><div class="m_2102464205080121798h5">______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a></div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div class="m_2102464205080121798gmail_signature" data-smartmail="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>
</font></span></div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>