Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016

[Dave Corsello <snort-users () wintertreemedia com>]

I think the 500 error happened because DNS had become unavailable on my 
network due to snort having crashed on the other sensor.  No 500 error 
and no rule-related error after running pulledpork again on both sensors.


On 8/12/2016 12:27 PM, Joel Esler (jesler) wrote:
> Dave,
>
> Sorry about any issues.  We are correcting the rule issue with 39873, 
> and the fix should be published soon, for now, I suggest you disable 
> the rule.
>
> About the 500 error, do you have any logs you can give us, does it 
> still occur, can you change your crontab time and see if that helps?
>
> --
> *Joel Esler*
> Manager
> Talos Group
> http://www.talosintelligence.com
>
> > On Aug 12, 2016, at 12:02 PM, Dave Corsello 
> > <snort-users () wintertreemedia com 
> > <mailto:snort-users () wintertreemedia com>> wrote:
> >
> > FYI:  This happened on only one of the two sensors because pulledpork 
> > failed on the other one with a 500 error last night.
> >
> >
> > On 8/12/2016 11:28 AM, Dave Corsello wrote:
> > > FYI:  I had a problem last night that seems to be resolved now.  
> > > Pulledpork ran on schedule, and Snort crashed on restart.  I'm using 
> > > only the VRT subscriber rules.  Syslog output:
> > >
> > >     FATAL ERROR: /etc/snort/./rules/snort.rules(14388) : pcre
> > >     compile of "\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51" failed at
> > >     offset 31 : nothing to repeat
> > >
> > > The offending rule:
> > >
> > >     drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> > >     (msg:"FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000
> > >     SIZ marker attempt"; flow:to_client,established; file_data;
> > >     content:"stream|0A|"; content:"jp2c|FF 4F FF 51|"; distance:0;
> > >     byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0;
> > >     content:"|FF 51|"; within:400; distance:10;
> > >     byte_test:2,>,csiz,0,relative;
> > >     pcre:"/\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51/sm";
> > >     metadata:policy security-ips drop, service ftp-data, service
> > >     http, service imap, service pop3; reference:cve,2016-3319;
> > >     reference:url,talosintel.com/reports/TALOS-2016-0170/
> > >     <http://talosintel.com/reports/TALOS-2016-0170/>;
> > >     reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102
> > >     <http://technet.microsoft.com/en-us/security/bulletin/ms16-102>;
> > >     classtype:attempted-user; sid:39873; rev:1;)
> > >
> > > This happened on one of my two sensors, both of which run pulledpork 
> > > nightly.  I re-ran pulledpork on the problem sensor, and I no longer 
> > > see the offending rule.
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> > > patterns at an interface-level. Reveals which users, apps, and protocols are
> > > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > > J-Flow, sFlow and other flows. Make informed decisions using capacity
> > > planning reports.http://sdm.link/zohodev2dev
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
> >
> > ------------------------------------------------------------------------------
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and 
> > traffic
> > patterns at an interface-level. Reveals which users, apps, and 
> > protocols are
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > J-Flow, sFlow and other flows. Make informed decisions using capacity
> > planning reports. 
> > http://sdm.link/zohodev2dev_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net 
> > <mailto:Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort news!

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!