Snort mailing list archives
fatal error with Snort Subscriber Rule Set Update for 08/11/2016
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Fri, 12 Aug 2016 11:28:05 -0400
FYI: I had a problem last night that seems to be resolved now. Pulledpork ran on schedule, and Snort crashed on restart. I'm using only the VRT subscriber rules. Syslog output:
FATAL ERROR: /etc/snort/./rules/snort.rules(14388) : pcre compile of
"\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51" failed at offset 31 :
nothing to repeat
The offending rule:
drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ
marker attempt"; flow:to_client,established; file_data;
content:"stream|0A|"; content:"jp2c|FF 4F FF 51|"; distance:0;
byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0;
content:"|FF 51|"; within:400; distance:10;
byte_test:2,>,csiz,0,relative;
pcre:"/\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51/sm"; metadata:policy
security-ips drop, service ftp-data, service http, service imap,
service pop3; reference:cve,2016-3319;
reference:url,talosintel.com/reports/TALOS-2016-0170/;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102;
classtype:attempted-user; sid:39873; rev:1;)
This happened on one of my two sensors, both of which run pulledpork
nightly. I re-ran pulledpork on the problem sensor, and I no longer see
the offending rule.
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)