Snort mailing list archives
Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 12 Aug 2016 18:10:53 +0000
Roger that. Thanks.
On Aug 12, 2016, at 1:48 PM, Dave Corsello <snort-users () wintertreemedia com> wrote: I think the 500 error happened because DNS had become unavailable on my network due to snort having crashed on the other sensor. No 500 error and no rule-related error after running pulledpork again on both sensors. On 8/12/2016 12:27 PM, Joel Esler (jesler) wrote:Dave, Sorry about any issues. We are correcting the rule issue with 39873, and the fix should be published soon, for now, I suggest you disable the rule. About the 500 error, do you have any logs you can give us, does it still occur, can you change your crontab time and see if that helps? -- Joel Esler Manager Talos Group http://www.talosintelligence.com <http://www.talosintelligence.com/>On Aug 12, 2016, at 12:02 PM, Dave Corsello <snort-users () wintertreemedia com <mailto:snort-users () wintertreemedia com>> wrote: FYI: This happened on only one of the two sensors because pulledpork failed on the other one with a 500 error last night. On 8/12/2016 11:28 AM, Dave Corsello wrote:FYI: I had a problem last night that seems to be resolved now. Pulledpork ran on schedule, and Snort crashed on restart. I'm using only the VRT subscriber rules. Syslog output: FATAL ERROR: /etc/snort/./rules/snort.rules(14388) : pcre compile of "\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51" failed at offset 31 : nothing to repeat The offending rule: drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt"; flow:to_client,established; file_data; content:"stream|0A|"; content:"jp2c|FF 4F FF 51|"; distance:0; byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0; content:"|FF 51|"; within:400; distance:10; byte_test:2,>,csiz,0,relative; pcre:"/\xff\x90.{10}(?!\xff\x93){0,400}\xff\x51/sm"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3319; reference:url,talosintel.com/reports/TALOS-2016-0170/ <http://talosintel.com/reports/TALOS-2016-0170/>; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102 <http://technet.microsoft.com/en-us/security/bulletin/ms16-102>; classtype:attempted-user; sid:39873; rev:1;) This happened on one of my two sensors, both of which run pulledpork nightly. I re-ran pulledpork on the problem sensor, and I no longer see the offending rule. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev <http://sdm.link/zohodev2dev> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev_______________________________________________ <http://sdm.link/zohodev2dev_______________________________________________> Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Joel Esler (jesler) (Aug 12)
- Re: fatal error with Snort Subscriber Rule Set Update for 08/11/2016 Dave Corsello (Aug 12)