[Oisf-devel] [Oisf-users] Suricata - test rule ignored/not dropping.

Mon Aug 2 20:10:27 UTC 2010

Hi,
I have theses logs on my pcap files, but when I extract specific hosts/ports (with tcpdump): suricata not fire theses logs!
small example:
  ...app-layer-parser.c... http ... on big download (iso)
after this log, new log (always on same pcap file):
  ...app-layer-parser.c... ssh ...
but if I extract specific ssh session (on another pcap file), replay pcap on suricata, no (app-layer-parser) log!
strange for understand why...
maybe mem stream reassembly is full and next stream are not reassembled?
Regards
Rmkml

On Mon, 2 Aug 2010, Will Metcalf wrote:

> You will most likely see some of these at startup, as the engine will
> be coming into some http sessions mid-stream. Do you see this after
> initialization? Or is this limited to startup?  If it is not limited
> to startup if you can provide a pcap to me privately it would be very
> helpful.  Also this is actually only limited to the "Unable to match
> response to request" one.  If you could provide a pcap for the other
> would be super helpful ;-).
>
> Regards,
>
> Will
>
> On Sun, Aug 1, 2010 at 9:49 PM, Shant Kassardjian <shant at skylab.ca> wrote:
>> I just ran in IDS mode, -i em0, got same error messages, here's the full
>> output:
>> [100125] 1/8/2010 -- 22:41:19 - (alert-fastlog.c:333) <Info>
>> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
>> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:365) <Info>
>> (StreamTcpInitConfig) -- stream "max_sessions": 262144
>> [100167] 1/8/2010 -- 22:41:19 - (source-pcap.c:267) <Info>
>> (ReceivePcapThreadInit) -- using interface em0
>> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:377) <Info>
>> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
>> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:387) <Info>
>> (StreamTcpInitConfig) -- stream "memcap": 33554432
>> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:394) <Info>
>> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
>> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:402) <Info>
>> (StreamTcpInitConfig) -- stream "async_oneside": disabled
>> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:411) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
>> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:420) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
>> [100125] 1/8/2010 -- 22:41:19 - (tm-threads.c:1429) <Info>
>> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management
>> threads initialized, engine started.
>> [100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error>
>> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
>> HTTP client request: [1] [htp_request_generic.c] [150] Request field
>> invalid: colon missing
>> [100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51615 and dst
>> port 80
>> [100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error>
>> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
>> HTTP client request: [1] [htp_request_generic.c] [150] Request field
>> invalid: colon missing
>> [100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51616 and dst
>> port 80
>> [100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error>
>> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
>> HTTP client request: [1] [htp_request_generic.c] [150] Request field
>> invalid: colon missing
>> [100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51621 and dst
>> port 80
>> [100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error>
>> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
>> HTTP client request: [1] [htp_request_generic.c] [150] Request field
>> invalid: colon missing
>> [100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51622 and dst
>> port 80
>> [100170] 1/8/2010 -- 22:41:53 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51617 and dst
>> port 80
>> [100170] 1/8/2010 -- 22:41:54 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51619 and dst
>> port 80
>> [100170] 1/8/2010 -- 22:41:55 - (app-layer-htp.c:479) <Error>
>> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
>> HTTP server response: [1] [htp_response.c] [671] Unable to match response to
>> request
>> [100170] 1/8/2010 -- 22:41:55 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51618 and dst
>> port 80
>>
>> ________________________________
>> To: shant at skylab.ca; pookme at hotmail.com;
>> oisf-users-bounces at openinfosecfoundation.org; william.metcalf at gmail.com
>> CC: oisf-users at openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
>> From: oisf at rogness.net
>> Date: Mon, 2 Aug 2010 02:37:04 +0000
>>
>> Looks like a potential bug. If you run in IDS mode, with -i em0 without the
>> -d 8000, and remove the ipfw rule, does it still produce the error?
>>
>> Nick
>>
>>
>> Sent from my BlackBerry Smartphone provided by Alltel
>> ________________________________
>> From: Shant Kassardjian <shant at skylab.ca>
>> Sender: <pookme at hotmail.com>
>> Date: Mon, 2 Aug 2010 02:27:56 +0000
>> To: <oisf at rogness.net>; <oisf-users-bounces at openinfosecfoundation.org>;
>> <william.metcalf at gmail.com>
>> Cc: <oisf-users at openinfosecfoundation.org>
>> Subject: RE: [Oisf-users] Suricata - test rule ignored/not dropping.
>>
>> Hi Nick,
>> Yes, I have interfaces (em1, em2, em3,em4, em5) configured under bridge0,
>> plus an em0 interface which is not part of the bridge0 and provides routing
>> for internet connectivity.
>> here's how the flow occurs:
>> pc -> birdge0 -> em0 -> internet
>> My ipfw script is very basic
>> #!/bin/sh
>> ipfw -q -f flush
>> ipfw -q zero
>> ipfw -q resetlog
>> ipfw add 010 divert 8000 ip from any to any via em0
>> Configuring the suricata.yml to enable console output to yes, now provides
>> additional details to the error message:
>>
>> [100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:391) <Error>
>> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
>> HTTP client request: [1] [htp_request_generic.c] [150] Request field
>> invalid: colon missing
>> [100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51098 and dst
>> port 80
>> [100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:479) <Error>
>> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
>> HTTP server response: [1] [htp_response.c] [671] Unable to match response to
>> request
>> [100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51100 and dst
>> port 80
>> [100185] 1/8/2010 -- 22:11:26 - (app-layer-parser.c:931) <Error>
>> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
>> "http" app layer protocol, using network protocol 6, source IP address
>> 172.25.1.10, destination IP address 24.200.238.163, src port 51104 and dst
>> port 80
>>
>> hope this helps!
>> Shant K
>>
>>> To: shant at skylab.ca; oisf-users-bounces at openinfosecfoundation.org;
>>> william.metcalf at gmail.com
>>> CC: oisf-users at openinfosecfoundation.org
>>> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
>>> From: oisf at rogness.net
>>> Date: Sun, 1 Aug 2010 20:09:25 +0000
>>>
>>>
>>> Are you bridging between interfaces? Does this happen when you are routing
>>> versus bridging?
>>>
>>> Nick
>>>
>>> Sent from my BlackBerry Smartphone provided by Alltel
>>>
>>> -----Original Message-----
>>> From: Shant Kassardjian <shant at skylab.ca>
>>> Sender: oisf-users-bounces at openinfosecfoundation.org
>>> Date: Sun, 1 Aug 2010 18:24:32
>>> To: <william.metcalf at gmail.com>
>>> Cc: <oisf-users at openinfosecfoundation.org>
>>> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>