[Oisf-users] Last ET update broken on Hyperscan

Jeremy MJ jskier at gmail.com
Wed Jul 19 19:29:22 UTC 2017


Also seeing in 3.2.1, and 4 rc-2, using pf_ring.

Glad to see the ruleset has been updated and the issue of the segfault
is getting addressed, thank you.

--
Jeremy MJ


On Wed, Jul 19, 2017 at 1:02 PM, Francis Trudeau
<ftrudeau at emergingthreats.net> wrote:
> I also saw this on my local 3.2.1:
>
> This is Suricata version 3.2.1 RELEASE
> ...
> 18/7/2017 -- 23:01:23 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - compile
> error: Expression has max_offset=21 but requires 22 bytes to match.
>
> This is in socket mode.  I didn't get this error doing local pcaps with a
> small local ruleset.  I also didn't see the error in local mode with latest
> git (rev 3063851).
>
> I haven't had a chance to test more than that.
>
> FT
>
>
>
>
>
>
>
>
> On Wed, Jul 19, 2017 at 7:14 AM, Travis Green <travis at travisgreen.net>
> wrote:
>>
>> Thanks all, the rule has been fixed and pushed to the download servers.
>>
>> - Travis
>>
>> On Wed, Jul 19, 2017 at 2:56 AM, Victor Julien <lists at inliniac.net> wrote:
>>>
>>> On 19-07-17 10:34, Sascha Steinbiss wrote:
>>> > Hi all,
>>> >
>>> >> Quick heads up: yesterdays ET update breaks on Hyperscan. Not sure
>>> >> which
>>> >> rule, or if it's Open or Pro only.
>>> >
>>> > I've done some quick narrowing down using 'suricata -S' and the ET
>>> > daily
>>> > changelog
>>> > (https://www.proofpoint.com/us/daily-ruleset-update-summary-20170718).
>>> > Result: For me commenting out the rule with SID 2827194 in
>>> > etpro-mobile_malware.rules fixed the issue.
>>>
>>> Great, thanks.
>>>
>>> The rule has 'dsize:21;' followed by a 22 byte pattern. So Hyperscan is
>>> correct.
>>>
>>> Suricata shouldn't crash like this of course, I opened
>>> https://redmine.openinfosecfoundation.org/issues/2187 for that.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
>>
>>
>> --
>> PGP: ABE625E6
>> keybase.io/travisbgreen
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



More information about the Oisf-users mailing list