[Oisf-users] Suricata Segfault With Sig:

Peter Manev petermanev at gmail.com
Wed Aug 6 13:56:57 UTC 2014 


> On 6 aug 2014, at 13:23, Kevin Ross <kevross33 at googlemail.com> wrote:
> 
> ah that is it. I must have eyed past that a dozen times when checking the rule for these errors. I had it duplicated because I was incrementing the sid.

Is this behavior the same with Suricata 2.0.2?



> 
> Thanks,
> Kevin
> 
> 
>> On 6 August 2014 12:23, Victor Julien <lists at inliniac.net> wrote:
>> On 08/06/2014 01:10 PM, Kevin Ross wrote:
>> > Correction on paragraph so it makes sense (tired):
>> >
>> > I am trying out some local sigs. Whenever I enable this rule or even
>> > strip out some of the content matches it just segfaults. I have others
>> > like it too and they all do the same but I cannot seem to spot what is
>> > wrong. I thought if there is an error in the rule syntax it should just
>> > skip over it anyway? I am using version 2.0 on this sensor.
>> >
>> >
>> > On 6 August 2014 12:09, Kevin Ross <kevross33 at googlemail.com
>> > <mailto:kevross33 at googlemail.com>> wrote:
>> >
>> >     Hi,
>> >
>> >     I am trying out some local sigs. Whenever I enable this rule or even
>> >     strip out some of the content matches it just segfaults. I have
>> >     others like it too and they all reach the same but I cannot seem to
>> >     spot what is wrong and I though if there is an error in the rule
>> >     syntax it should just skip over it anyway? I am using version 2.0 on
>> >     this sensor.
>> >
>> >     alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
>> >     Potential CnC Response DONE"; flow:established,to_client;
>> >     content:"200"; http_stat_code; content:"OK"; http_stat_msg;
>> >     content:"Content-Length|3A| 4|0D 0A|"; http_header; file_data;
>> >     content:"DONE"; within:4; classtype:trojan-activity; sid:1769992;
>> >     rev;1;)
>> 
>> This rev is probably it: 'rev;1;' should be 'rev:1;'
>> 
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140806/d6aeee36/attachment-0002.html>

More information about the Oisf-users mailing list