[Oisf-users] Last ET update broken on Hyperscan

Travis Green travis at travisgreen.net
Wed Jul 19 13:14:01 UTC 2017


Thanks all, the rule has been fixed and pushed to the download servers.

- Travis

On Wed, Jul 19, 2017 at 2:56 AM, Victor Julien <lists at inliniac.net> wrote:

> On 19-07-17 10:34, Sascha Steinbiss wrote:
> > Hi all,
> >
> >> Quick heads up: yesterdays ET update breaks on Hyperscan. Not sure which
> >> rule, or if it's Open or Pro only.
> >
> > I've done some quick narrowing down using 'suricata -S' and the ET daily
> > changelog
> > (https://www.proofpoint.com/us/daily-ruleset-update-summary-20170718).
> > Result: For me commenting out the rule with SID 2827194 in
> > etpro-mobile_malware.rules fixed the issue.
>
> Great, thanks.
>
> The rule has 'dsize:21;' followed by a 22 byte pattern. So Hyperscan is
> correct.
>
> Suricata shouldn't crash like this of course, I opened
> https://redmine.openinfosecfoundation.org/issues/2187 for that.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170719/7a763a9d/attachment-0002.html>


More information about the Oisf-users mailing list