[Oisf-users] Last ET update broken on Hyperscan

Francis Trudeau ftrudeau at emergingthreats.net
Wed Jul 19 18:02:35 UTC 2017 

I also saw this on my local 3.2.1:

This is Suricata version 3.2.1 RELEASE
...
18/7/2017 -- 23:01:23 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - compile
error: Expression has max_offset=21 but requires 22 bytes to match.

This is in socket mode.  I didn't get this error doing local pcaps with a
small local ruleset.  I also didn't see the error in local mode with latest
git (rev 3063851).

I haven't had a chance to test more than that.

FT








On Wed, Jul 19, 2017 at 7:14 AM, Travis Green <travis at travisgreen.net>
wrote:

> Thanks all, the rule has been fixed and pushed to the download servers.
>
> - Travis
>
> On Wed, Jul 19, 2017 at 2:56 AM, Victor Julien <lists at inliniac.net> wrote:
>
>> On 19-07-17 10:34, Sascha Steinbiss wrote:
>> > Hi all,
>> >
>> >> Quick heads up: yesterdays ET update breaks on Hyperscan. Not sure
>> which
>> >> rule, or if it's Open or Pro only.
>> >
>> > I've done some quick narrowing down using 'suricata -S' and the ET daily
>> > changelog
>> > (https://www.proofpoint.com/us/daily-ruleset-update-summary-20170718).
>> > Result: For me commenting out the rule with SID 2827194 in
>> > etpro-mobile_malware.rules fixed the issue.
>>
>> Great, thanks.
>>
>> The rule has 'dsize:21;' followed by a 22 byte pattern. So Hyperscan is
>> correct.
>>
>> Suricata shouldn't crash like this of course, I opened
>> https://redmine.openinfosecfoundation.org/issues/2187 for that.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
>
> --
> PGP: ABE625E6
> keybase.io/travisbgreen
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170719/e07bacf1/attachment-0002.html>

More information about the Oisf-users mailing list