[Oisf-users] this rule appears to make suri crash
Russell Fulton
r.fulton at auckland.ac.nz
Tue Aug 20 07:17:29 UTC 2013
On 20/08/2013, at 6:27 PM, Peter Manev <petermanev at gmail.com> wrote:
> Hi Russel,
>
>
>
> On Tue, Aug 20, 2013 at 5:46 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>> Ah! after a lot more trial and error I think I hit on the wrong rule.
>>
>> I now believe that that it is the rule associated with file capture which makes a whole lot more sense from several perspectives.
>>
>> alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable for MS Windows"; filestore; sid:18; rev:1;)
>
> So whe you load this rule - suricata crashes, correct?
>
>>
>> I even have have an idea about what the cause might be: I also have file-log set which appears to work fine except that the "magic" is always "unknown". If there is something screwy on my system with magic lookups then maybe that is involved it this crash.
>
> do you have all the sgo, tso.... set to OFF - "ethtool -k eth3" - for
> example , it will show you if there is any offloading enabled (ON) on
> eth3
I have turned off all the offloading (thanks Coop! I have belated done your recommended tuning ;) and that seems to have fixed it.
>
>>
>> Peter: you have a copy of my config, is there anything else you need?
>
> I think you need to update the config as well -
>
> "
> <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_sp_groups is
> deprecated. Please use toclient-sp-groups on line 114.
> "
> so you need to get the new suricata.yaml and configure it accordingly.
will do!
Russell
More information about the Oisf-users
mailing list