Snort mailing list archives
Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Fri, 12 Aug 2016 12:02:28 -0400
FYI: This happened on only one of the two sensors because pulledpork failed on the other one with a 500 error last night.
On 8/12/2016 11:28 AM, Dave Corsello wrote:
FYI: I had a problem last night that seems to be resolved now. Pulledpork ran on schedule, and Snort crashed on restart. I'm using only the VRT subscriber rules. Syslog output:FATAL ERROR: /etc/snort/./rules/snort.rules(14388) : pcre compile of "\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51" failed at offset 31 : nothing to repeat The offending rule: drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt"; flow:to_client,established; file_data; content:"stream|0A|"; content:"jp2c|FF 4F FF 51|"; distance:0; byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0; content:"|FF 51|"; within:400; distance:10; byte_test:2,>,csiz,0,relative; pcre:"/\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51/sm"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3319; reference:url,talosintel.com/reports/TALOS-2016-0170/; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102; classtype:attempted-user; sid:39873; rev:1;)This happened on one of my two sensors, both of which run pulledpork nightly. I re-ran pulledpork on the problem sensor, and I no longer see the offending rule.------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)