[Oisf-users] this rule appears to make suri crash
Peter Manev
petermanev at gmail.com
Tue Aug 20 06:27:09 UTC 2013
Hi Russel,
On Tue, Aug 20, 2013 at 5:46 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Ah! after a lot more trial and error I think I hit on the wrong rule.
>
> I now believe that that it is the rule associated with file capture which makes a whole lot more sense from several perspectives.
>
> alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable for MS Windows"; filestore; sid:18; rev:1;)
So whe you load this rule - suricata crashes, correct?
>
> I even have have an idea about what the cause might be: I also have file-log set which appears to work fine except that the "magic" is always "unknown". If there is something screwy on my system with magic lookups then maybe that is involved it this crash.
do you have all the sgo, tso.... set to OFF - "ethtool -k eth3" - for
example , it will show you if there is any offloading enabled (ON) on
eth3
>
> Peter: you have a copy of my config, is there anything else you need?
I think you need to update the config as well -
"
<Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_sp_groups is
deprecated. Please use toclient-sp-groups on line 114.
"
so you need to get the new suricata.yaml and configure it accordingly.
>
> R
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list