[Oisf-users] Oisf-users Digest, Vol 118, Issue 28
Shell_Xu
xuh881026 at gmail.com
Mon Sep 30 01:26:47 UTC 2019
Someone tell me? I need your help.
<oisf-users-request at lists.openinfosecfoundation.org> 于2019年9月27日周五 下午1:45写道:
> Send Oisf-users mailing list submissions to
> oisf-users at lists.openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> or, via email, send a message with subject or body 'help' to
> oisf-users-request at lists.openinfosecfoundation.org
>
> You can reach the person managing the list at
> oisf-users-owner at lists.openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Rule updates (Jason Ish)
> 2. Re: [EXT] Re: 4.1.5 Startup Error (jt)
> 3. Re: [EXT] Re: 4.1.5 Startup Error (Cloherty, Sean E)
> 4. Suricata Lua API (stack overflow) (Shell_Xu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 26 Sep 2019 09:13:50 -0600
> From: Jason Ish <jason.ish at oisf.net>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Rule updates
> Message-ID: <d4c58f5c-b937-27ea-6a5a-b2c0e7d84953 at oisf.net>
> Content-Type: text/plain; charset=utf-8
>
> On 2019-09-26 8:12 a.m., David Decker wrote:
> > All,
> >
> > I have a few off-line systems running in different location with limited
> > bandwidth and would like to keep them all on the same rule sets.
> >
> > If I have a "master" for lack of better terms with tuned rule sets and
> > newest rules, is it possible to just copy the /rules directory, or more
> > files required?
> >
> > Would this be possible instead of having to send out the ET rules, VRT
> > rules, custom rules to each for them to run suricata-update?
>
> Yes. Its just files so you are pretty flexible to do what you want.
>
> I've heard of use cases where suricata-update is used on one machine,
> and the resulting /var/lib/suricata/rules/suricata.rules is then pushed
> out to sensors with tools like Ansible, Salt, etc. Of course you could
> just use scp, or whatever. Just remember to SIGUSR2, or use suricatasc
> reload-rules to reload your rules after placing the new file in place.
>
>
> Jason
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 26 Sep 2019 11:39:54 -0400
> From: jt <jtfas90 at gmail.com>
> To: "Cloherty, Sean E" <scloherty at mitre.org>, "lists at inliniac.net"
> <lists at inliniac.net>, "oisf-users at lists.openinfosecfoundation.org"
> <oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [Oisf-users] [EXT] Re: 4.1.5 Startup Error
> Message-ID: <81e36d6ece895ce7981e03d68316d19f22b8bbec.camel at gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Thu, 2019-09-26 at 14:26 +0000, Cloherty, Sean E wrote:
> > I was under the impression that the install included its own libhtp
> > package.
> >
> Are you installing from the 4.1.5 tarball? If so, you're right libhtp
> is bundled.
>
> > Is it possible that installing 4.1.5 after 5.0.0beta1 is causing
> > this?
>
> For what it's worth, we run 4.1.x and master branch/5.x side by side
> and haven't seen this.
>
> That being said depending on install paths and uninstall/install
> methods there are some odd things going on.
>
> JT
> > Thanks.
> >
> > -----Original Message-----
> > From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org>
> > On Behalf Of Victor Julien
> > Sent: Thursday, September 26, 2019 9:43 AM
> > To: oisf-users at lists.openinfosecfoundation.org
> > Subject: [EXT] Re: [Oisf-users] 4.1.5 Startup Error
> >
> > On 26-09-19 15:24, Cloherty, Sean E wrote:
> > > Anybody else seeing this ? I get the following error following a
> > > new
> > > install of 4.1.5 – > undefined symbol: htp_config_set_lzma_memlimit
> > >
> > >
> > >
> > > I am running on CentOS 7 and here is my configuration statement -
> > >
> > >
> > >
> > > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> > > --with-libhs-includes=/usr/local/include/hs/
> > > --with-libhs-libraries=/usr/local/lib/
> > > --with-liblzma-includes=/usr/include/ --enable-gccprotect
> > > --enable-gccprofile --enable-gccmarch-native --enable-profiling
> > > --enable-lua --enable-geoip --enable-rust --enable-unix-socket
> > >
> > >
> > >
> > > Any ideas ?
> >
> > Could you be having a outdated libhtp checkout in the suricata
> > directory?
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 26 Sep 2019 20:59:33 +0000
> From: "Cloherty, Sean E" <scloherty at mitre.org>
> To: jt <jtfas90 at gmail.com>, "lists at inliniac.net" <lists at inliniac.net>,
> "oisf-users at lists.openinfosecfoundation.org"
> <oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [Oisf-users] [EXT] Re: 4.1.5 Startup Error
> Message-ID:
> <
> SN6PR0901MB2400D5F863633A624C57D592A8860 at SN6PR0901MB2400.namprd09.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> I think I've fixed this now.
>
> I installed the latest libhtp package from the OISF github site, extracted
> a new copy of the suricata tarball files, recompiled, and now it is looking
> good.
>
>
> Sean
> -----Original Message-----
> From: jt <jtfas90 at gmail.com>
> Sent: Thursday, September 26, 2019 11:40 AM
> To: Cloherty, Sean E <scloherty at mitre.org>; lists at inliniac.net;
> oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] [EXT] Re: 4.1.5 Startup Error
>
> On Thu, 2019-09-26 at 14:26 +0000, Cloherty, Sean E wrote:
> > I was under the impression that the install included its own libhtp
> > package.
> >
> Are you installing from the 4.1.5 tarball? If so, you're right libhtp is
> bundled.
>
> > Is it possible that installing 4.1.5 after 5.0.0beta1 is causing this?
>
> For what it's worth, we run 4.1.x and master branch/5.x side by side and
> haven't seen this.
>
> That being said depending on install paths and uninstall/install methods
> there are some odd things going on.
>
> JT
> > Thanks.
> >
> > -----Original Message-----
> > From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org>
> > On Behalf Of Victor Julien
> > Sent: Thursday, September 26, 2019 9:43 AM
> > To: oisf-users at lists.openinfosecfoundation.org
> > Subject: [EXT] Re: [Oisf-users] 4.1.5 Startup Error
> >
> > On 26-09-19 15:24, Cloherty, Sean E wrote:
> > > Anybody else seeing this ? I get the following error following a
> > > new install of 4.1.5 – > undefined symbol:
> > > htp_config_set_lzma_memlimit
> > >
> > >
> > >
> > > I am running on CentOS 7 and here is my configuration statement -
> > >
> > >
> > >
> > > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> > > --with-libhs-includes=/usr/local/include/hs/
> > > --with-libhs-libraries=/usr/local/lib/
> > > --with-liblzma-includes=/usr/include/ --enable-gccprotect
> > > --enable-gccprofile --enable-gccmarch-native --enable-profiling
> > > --enable-lua --enable-geoip --enable-rust --enable-unix-socket
> > >
> > >
> > >
> > > Any ideas ?
> >
> > Could you be having a outdated libhtp checkout in the suricata
> > directory?
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 27 Sep 2019 13:44:54 +0800
> From: Shell_Xu <xuh881026 at gmail.com>
> To: Open Information Security Foundation
> <oisf-users at lists.openinfosecfoundation.org>
> Subject: [Oisf-users] Suricata Lua API (stack overflow)
> Message-ID:
> <CAHY=
> VAom8Fqae+Xb0A4oQGsCP3hUJCTL8X+_J9G1LJrcXg81DQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> HI, Suricata Team:
>
> I tried to use Lua scripts to audit all HTTP traffic, but after the
> script runs for about 30 seconds, the program automatically exits and
> outputs the following message: PANIC: unprotected error in call to Lua API
> (stack overflow).Since I don't want to log all HTTP headers, I didn't
> enable the dump-all-headers option.Lua scripts were used to implement my
> needs.But obviously, I have a problem now, can anyone help me?
> Is this problem caused by Lua scripts unable to withstand HTTP traffic?
>
> Traffic 1.5Gbpps
> CPU: 1 CPU 36 core
> Memory: 60G
> Suricata 5.0.0-rc1
>
> My lua script code is in the attachment, please correct me my mistake, any
> help makes sense to me.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190927/8c758759/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: http_audit_demo.lua
> Type: application/octet-stream
> Size: 5692 bytes
> Desc: not available
> URL: <
> http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190927/8c758759/attachment.obj
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ------------------------------
>
> End of Oisf-users Digest, Vol 118, Issue 28
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190930/8d269ed4/attachment.html>
More information about the Oisf-users
mailing list