Snort mailing list archives
Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 12 Aug 2016 16:27:39 +0000
Dave, Sorry about any issues. We are correcting the rule issue with 39873, and the fix should be published soon, for now, I suggest you disable the rule. About the 500 error, do you have any logs you can give us, does it still occur, can you change your crontab time and see if that helps? -- Joel Esler Manager Talos Group http://www.talosintelligence.com
On Aug 12, 2016, at 12:02 PM, Dave Corsello <snort-users () wintertreemedia com> wrote: FYI: This happened on only one of the two sensors because pulledpork failed on the other one with a 500 error last night. On 8/12/2016 11:28 AM, Dave Corsello wrote:FYI: I had a problem last night that seems to be resolved now. Pulledpork ran on schedule, and Snort crashed on restart. I'm using only the VRT subscriber rules. Syslog output: FATAL ERROR: /etc/snort/./rules/snort.rules(14388) : pcre compile of "\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51" failed at offset 31 : nothing to repeat The offending rule: drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt"; flow:to_client,established; file_data; content:"stream|0A|"; content:"jp2c|FF 4F FF 51|"; distance:0; byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0; content:"|FF 51|"; within:400; distance:10; byte_test:2,>,csiz,0,relative; pcre:"/\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51/sm"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3319; reference:url,talosintel.com/reports/TALOS-2016-0170/; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102; classtype:attempted-user; sid:39873; rev:1;) This happened on one of my two sensors, both of which run pulledpork nightly. I re-ran pulledpork on the problem sensor, and I no longer see the offending rule. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev <http://sdm.link/zohodev2dev> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)