[Oisf-devel] Problems detecting app-layer session (re-sending as smaller size email)

Adrian Falk adrianfalk2 at gmail.com
Sun Feb 15 15:06:12 UTC 2015 

Hello,

I'm having trouble detecting an app-layer session for a registered port.
This only happens when the pcap file I feed to Suricata has the following
characteristics/errors as shown below in the Wireshark output below. With a
clean pcap file there is no issue.

The following two packets (21 and 25) from Wireshark capture shows the
packets Suricata sees as the first 2 packets for this session. Packet (21)
is actually to-server but Suricata classifies it as to-client.

21 2.927665 192.168.2.8 192.168.2.12 TCP 60[TCP Acked unseen segment]
netinfo-local >..
25 3.217648 192.168.2.12 192.168.2.18 TCP 60[TCP Previous segment not
captured]

In the following Suricata log, it shows how packet 25 processing fails to
find probing parser for either port even though it logs that it finds the
probing parser for source port. I print a DEBUG statement that indicates
pp_port_sp->sp = (nil). And then it never even attempts to detect this
session again, throughout the run.

15/2/2015 -- 09:48:17 - <Debug> - Entering ... >>
15/2/2015 -- 09:48:17 - <Debug> - Returning: 0 ... <<
15/2/2015 -- 09:48:17 - <Debug> - Returning pointer (nil) of type
AppLayerProtoDetectProbingParserPort * ... <<
15/2/2015 -- 09:48:17 - <Debug> - toclient - No probing parser registered
for dest port 1033
15/2/2015 -- 09:48:17 - <Debug> - Returning pointer 0x27738b0 of type
AppLayerProtoDetectProbingParserPort * ... <<
15/2/2015 -- 09:48:17 - <Debug> - toclient - Probing parser found for
source port 20000
15/2/2015 -- 09:48:17 - <Debug> - DEBUG:pp_port_sp->sp = (nil)
15/2/2015 -- 09:48:17 - <Debug> - toclient - No probing parsers found for
either port
15/2/2015 -- 09:48:17 - <Debug> - toclient, mask is now 00000000
15/2/2015 -- 09:48:17 - <Debug> - Returning: 0 ... <<

Any help would be much appreciated.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150215/87ee619f/attachment.html>

More information about the Oisf-devel mailing list