[Oisf-users] Last ET update broken on Hyperscan

Erich Lerch erich.lerch at gmail.com
Wed Jul 19 08:31:25 UTC 2017


Yup, just tried to pinpoint the problem.
Suricata starts here as long as I do not include the file
etpro-mobile_malware.rules.
Guess there's something wrong with tis file.

Erich

2017-07-19 10:19 GMT+02:00 Victor Julien <lists at inliniac.net>:
> Quick heads up: yesterdays ET update breaks on Hyperscan. Not sure which
> rule, or if it's Open or Pro only.
>
> The error we get is:
> [13021] 19/7/2017 -- 09:43:43 - (util-mpm-hs.c:684) <Error>
> (SCHSPreparePatterns) -- [ERRCODE: SC_ERR_FATAL(171)] - failed to
> compile hyperscan database
> [13021] 19/7/2017 -- 09:43:43 - (util-mpm-hs.c:686) <Error>
> (SCHSPreparePatterns) -- [ERRCODE: SC_ERR_FATAL(171)] - compile error:
> Expression has max_offset=21 but requires 22 bytes to match.
>
> After which Suricata crashes in a rule reload or quickly after start up.
>
> As I'm not able to pinpoint the rule today I recommend delaying the
> update for now, or switch to AC temporarily if you already updated:
> --set mpm-algo=ac
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



More information about the Oisf-users mailing list