[Oisf-users] Suricata Segfault With Sig:
Victor Julien
lists at inliniac.net
Wed Aug 6 11:23:09 UTC 2014
On 08/06/2014 01:10 PM, Kevin Ross wrote:
> Correction on paragraph so it makes sense (tired):
>
> I am trying out some local sigs. Whenever I enable this rule or even
> strip out some of the content matches it just segfaults. I have others
> like it too and they all do the same but I cannot seem to spot what is
> wrong. I thought if there is an error in the rule syntax it should just
> skip over it anyway? I am using version 2.0 on this sensor.
>
>
> On 6 August 2014 12:09, Kevin Ross <kevross33 at googlemail.com
> <mailto:kevross33 at googlemail.com>> wrote:
>
> Hi,
>
> I am trying out some local sigs. Whenever I enable this rule or even
> strip out some of the content matches it just segfaults. I have
> others like it too and they all reach the same but I cannot seem to
> spot what is wrong and I though if there is an error in the rule
> syntax it should just skip over it anyway? I am using version 2.0 on
> this sensor.
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
> Potential CnC Response DONE"; flow:established,to_client;
> content:"200"; http_stat_code; content:"OK"; http_stat_msg;
> content:"Content-Length|3A| 4|0D 0A|"; http_header; file_data;
> content:"DONE"; within:4; classtype:trojan-activity; sid:1769992;
> rev;1;)
This rev is probably it: 'rev;1;' should be 'rev:1;'
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list