Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016

["Joel Esler (jesler)" <jesler () cisco com>]

Roger that.  Thanks.

> On Aug 12, 2016, at 1:48 PM, Dave Corsello <snort-users () wintertreemedia com> wrote:
>
> I think the 500 error happened because DNS had become unavailable on my network due to snort having crashed on the 
> other sensor.  No 500 error and no rule-related error after running pulledpork again on both sensors.
>
> On 8/12/2016 12:27 PM, Joel Esler (jesler) wrote:
> > Dave,
> >
> > Sorry about any issues.  We are correcting the rule issue with 39873, and the fix should be published soon, for now, 
> > I suggest you disable the rule.
> >
> > About the 500 error, do you have any logs you can give us, does it still occur, can you change your crontab time and 
> > see if that helps?
> >
> > --
> > Joel Esler
> > Manager
> > Talos Group
> > http://www.talosintelligence.com <http://www.talosintelligence.com/>
> >
> > > On Aug 12, 2016, at 12:02 PM, Dave Corsello <snort-users () wintertreemedia com <mailto:snort-users () 
> > > wintertreemedia com>> wrote:
> > >
> > > FYI:  This happened on only one of the two sensors because pulledpork failed on the other one with a 500 error last 
> > > night.
> > >
> > > On 8/12/2016 11:28 AM, Dave Corsello wrote:
> > > > FYI:  I had a problem last night that seems to be resolved now.  Pulledpork ran on schedule, and Snort crashed on 
> > > > restart.  I'm using only the VRT subscriber rules.  Syslog output:
> > > > FATAL ERROR: /etc/snort/./rules/snort.rules(14388) : pcre compile of "\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51" 
> > > > failed at offset 31 : nothing to repeat
> > > >
> > > > The offending rule:
> > > > drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows PDF parsing invalid 
> > > > JPEG2000 SIZ marker attempt"; flow:to_client,established; file_data; content:"stream|0A|"; content:"jp2c|FF 4F FF 
> > > > 51|"; distance:0; byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0; content:"|FF 51|"; within:400; 
> > > > distance:10; byte_test:2,>,csiz,0,relative; pcre:"/\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51/sm"; metadata:policy 
> > > > security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3319; 
> > > > reference:url,talosintel.com/reports/TALOS-2016-0170/ <http://talosintel.com/reports/TALOS-2016-0170/>; 
> > > > reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102 
> > > > <http://technet.microsoft.com/en-us/security/bulletin/ms16-102>; classtype:attempted-user; sid:39873; rev:1;)
> > > >
> > > > This happened on one of my two sensors, both of which run pulledpork nightly.  I re-ran pulledpork on the problem 
> > > > sensor, and I no longer see the offending rule.
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> > > > patterns at an interface-level. Reveals which users, apps, and protocols are
> > > > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > > > J-Flow, sFlow and other flows. Make informed decisions using capacity
> > > > planning reports. http://sdm.link/zohodev2dev <http://sdm.link/zohodev2dev>
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> > > > <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> > > >
> > > > Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!
> > >
> > > ------------------------------------------------------------------------------
> > > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> > > patterns at an interface-level. Reveals which users, apps, and protocols are
> > > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > > J-Flow, sFlow and other flows. Make informed decisions using capacity
> > > planning reports. http://sdm.link/zohodev2dev_______________________________________________ 
> > > <http://sdm.link/zohodev2dev_______________________________________________>
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> > > <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> > >
> > > Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!