<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<div>Hello Victor,</div><div><br></div><div>Here is the full output, below you will see a sample http.log output.</div><div><br></div><div>core# suricata -c suricata.old -d 8000 /usr/local/etc/suricata</div><div>[100096] 31/7/2010 -- 14:24:13 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1</div><div>[100096] 31/7/2010 -- 14:24:13 - (util-cpu.c:167) <Info> (UtilCpuPrintSummary) -- CPUs Summary:</div><div>[100096] 31/7/2010 -- 14:24:13 - (util-cpu.c:169) <Info> (UtilCpuPrintSummary) -- CPUs online: 2</div><div>[100096] 31/7/2010 -- 14:24:13 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs configured 2</div><div>Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"</div><div>[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertFastLog" registered.</div><div>[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertDebugLog" registered.</div><div>[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedLog" registered.</div><div>[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedAlert" registered.</div><div>[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "Unified2Alert" registered.</div><div>[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "LogHttpLog" registered.</div><div>[100096] 31/7/2010 -- 14:24:13 - (suricata.c:997) <Info> (main) -- preallocated 50 packets. Total memory 4016400</div><div>[100096] 31/7/2010 -- 14:24:13 - (flow.c:746) <Info> (FlowInitConfig) -- initializing flow engine...</div><div>[100096] 31/7/2010 -- 14:24:13 - (flow.c:833) <Info> (FlowInitConfig) -- allocated 1048576 bytes of memory for the flow hash... 65536 buckets of size 16</div><div>[100096] 31/7/2010 -- 14:24:13 - (flow.c:852) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 248</div><div>[100096] 31/7/2010 -- 14:24:13 - (flow.c:854) <Info> (FlowInitConfig) -- flow memory usage: 3528576 bytes, maximum: 33554432</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:387) <Info> (SigLoadSignatures) -- 1 rule files processed. 7 rules succesfully loaded, 0 rules failed</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect-engine-sigorder.c:829) <Info> (SCSigOrderSignatures) -- ordering signatures in memory</div><div>SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 8</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect-engine-sigorder.c:870) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 8</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:1480) <Info> (SigAddressPrepareStage1) -- 8 signatures processed. 0 are IP-only rules, 5 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:1483) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:1968) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address lists...</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2037) <Info> (SigAddressPrepareStage2) -- 8 total signatures:</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2058) <Info> (SigAddressPrepareStage2) -- TCP Source address blocks: any: 1, ipv4: 9, ipv6: 1.</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2078) <Info> (SigAddressPrepareStage2) -- UDP Source address blocks: any: 2, ipv4: 14, ipv6: 2.</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2098) <Info> (SigAddressPrepareStage2) -- ICMP Source address blocks: any: 2, ipv4: 2, ipv6: 2.</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2102) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... done</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2681) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists...</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2764) <Info> (SigAddressPrepareStage3) -- MPM memory 290983 (dynamic 290343, ctxs 640, avg per ctx 15281)</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2766) <Info> (SigAddressPrepareStage3) -- max sig id 8, array size 2</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2767) <Info> (SigAddressPrepareStage3) -- signature group heads: unique 15, copies 94.</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2769) <Info> (SigAddressPrepareStage3) -- MPM instances: 19 unique, copies 11 (none 0).</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2771) <Info> (SigAddressPrepareStage3) -- MPM (URI) instances: 1 unique, copies 14 (none 0).</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2772) <Info> (SigAddressPrepareStage3) -- MPM max patcnt 3, avg 0</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2775) <Info> (SigAddressPrepareStage3) -- port maxgroups: 40, avg 21, tot 525</div><div>[100096] 31/7/2010 -- 14:24:13 - (detect.c:2776) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... done</div><div>[100096] 31/7/2010 -- 14:24:13 - (util-profiling.c:311) <Info> (SCProfilingInitRuleCounters) -- Registered 8 rule profiling counters.</div><div><br></div><div>[100096] 31/7/2010 -- 14:24:13 - (util-threshold-config.c:104) <Error> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory</div><div>[100096] 31/7/2010 -- 14:24:13 - (alert-fastlog.c:333) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log</div><div>[100125] 31/7/2010 -- 14:24:13 - (source-ipfw.c:302) <Info> (ReceiveIPFWThreadInit) -- Using IPFW divert port 8000</div><div>[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:365) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144</div><div>[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768</div><div>[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:387) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432</div><div>[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:394) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled</div><div>[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled</div><div>[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:411) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864</div><div>[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576</div><div>[100096] 31/7/2010 -- 14:24:14 - (tm-threads.c:1429) <Info> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 3 management threads initialized, engine started.</div><div>[100154] 31/7/2010 -- 14:25:29 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</div><div>[100154] 31/7/2010 -- 14:25:29 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49645 and dst port 80</div><div>[100154] 31/7/2010 -- 14:25:29 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</div><div>[100154] 31/7/2010 -- 14:25:29 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49646 and dst port 80</div><div>[100154] 31/7/2010 -- 14:25:30 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</div><div>[100154] 31/7/2010 -- 14:25:30 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49647 and dst port 80</div><div>[100154] 31/7/2010 -- 14:25:30 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</div><div>[100154] 31/7/2010 -- 14:25:30 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49648 and dst port 80</div><div>[100154] 31/7/2010 -- 14:25:32 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</div><div>[100154] 31/7/2010 -- 14:25:32 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49644 and dst port 80</div><div>[100154] 31/7/2010 -- 14:25:34 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request</div><div>[100154] 31/7/2010 -- 14:25:34 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49643 and dst port 80</div><div>[100154] 31/7/2010 -- 14:25:36 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request</div><div>[100154] 31/7/2010 -- 14:25:36 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49649 and dst port 80</div><div>[100154] 31/7/2010 -- 14:25:36 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request</div><div>[100154] 31/7/2010 -- 14:25:36 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49642 and dst port 80</div><div><br></div><div><br></div><div>[In http.log I get multiple entries for]</div><div><br></div><div>07/31/10-18:25:40.097329 www.blogsmithmedia.com [**] /www.engadget.com/media/col 2_kirf_label_real.gif [**] Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Vers ion/10.60 [**] 172.25.1.10:80 -> 24.200.239.40:49634</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><br>> Date: Sat, 31 Jul 2010 09:27:50 +0200<br>> From: victor@inliniac.net<br>> To: shant@skylab.ca<br>> CC: oisf-users@openinfosecfoundation.org; oisf-users-bounces@openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]<br>> <br>> Shant Kassardjian wrote:<br>> > Anyways, I know have another problem the spite suricata is functioning<br>> > properly, I get the following error on each web site I browse:<br>> > <br>> > <br>> > [100154] 30/7/2010 -- 19:36:28 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in<br>> > parsing "http" app layer protocol, using network protocol 6, source IP<br>> > address 172.25.1.10, destination IP address 24.200.239.18, src port<br>> > 49343 and dst port 80<br>> > <br>> > <br>> > [100154] 30/7/2010 -- 19:44:03 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in<br>> > parsing "http" app layer protocol, using network protocol 6, source IP<br>> > address 172.25.1.10, destination IP address 64.191.203.30, src port<br>> > 49580 and dst port 80<br>> <br>> Usually in the line above it, it will print the error reason. It's not<br>> uncommon to see some of these.<br>> <br>> Are you seeing the http requests appear in your<br>> /var/log/suricata/http.log? If so it means they are at least partly<br>> understood by Suricata.<br>> <br>> Cheers,<br>> Victor<br>> <br>> <br>> > <br>> > <br>> > Is this a configuration problem? There might be a small performance hit<br>> > because of this problem.<br>> > <br>> > <br>> > Many thanks for the help.<br>> > <br>> > <br>> > <br>> > <br>> > <br>> >> To: rmkml@free.fr; oisf-users-bounces@openinfosecfoundation.org;<br>> > shant@skylab.ca<br>> >> From: oisf@rogness.net<br>> >> Date: Fri, 30 Jul 2010 17:46:40 +0000<br>> >> CC: oisf-users@openinfosecfoundation.org<br>> >> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main)<br>> > --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]<br>> >><br>> >> You must specify which packets to send to suricata via an ipfw rule.<br>> > For example:<br>> >><br>> >> ipfw divert 8000 ip from any to any via em0<br>> >><br>> >> This example ipfw rule instructs the kernel to send packets, of type<br>> > IP, with any source/destination address, which either come in or out<br>> > interface em0, to a divert socket 8000.<br>> >><br>> >> Suricata, configured with -d 8000, picks the packets off by listening<br>> > to this divert socket 8000.<br>> >><br>> >> The 8000 specified in the suricata argument to -d MUST match the same<br>> > value which is added in the 'ipfw divert 8000 ...' command, or suricata<br>> > will not see packets from IPFW.<br>> >><br>> >> The -i em0 flag is not need for suricata running with IPFW divert<br>> > sockets. It would only be need if you were running in IDS mode via pcap<br>> > or equivalent.<br>> >><br>> >> Hope this helps.<br>> >><br>> >> Nick<br>> >><br>> >> Sent from my BlackBerry Smartphone provided by Alltel<br>> >><br>> >> -----Original Message-----<br>> >> From: rmkml <rmkml@free.fr><br>> >> Sender: oisf-users-bounces@openinfosecfoundation.org<br>> >> Date: Fri, 30 Jul 2010 18:50:04<br>> >> To: Shant Kassardjian<shant@skylab.ca><br>> >> Cc: <oisf-users@openinfosecfoundation.org><br>> >> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --<br>> >> [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]<br>> >><br>> >> Hi Shant,<br>> >> maybe can help you ?:<br>> >> http://www.codealias.info/technotes/freebsd_divert_sockets<br>> >> ..."A divert socket is a socket that can be used to alter packets<br>> > before being processed by the networking stack."...<br>> >> Regards<br>> >> Rmkml<br>> >><br>> >><br>> >> On Fri, 30 Jul 2010, Shant Kassardjian wrote:<br>> >><br>> >> > Hello Eric,<br>> >> ><br>> >> > Thank you for your reply, I am a bit confused as to which interface<br>> > suricata monitors traffic on? I have the bridge0 interface configured<br>> > for (em1, em2, ... em5)<br>> >> > 5 sub interfaces and em0 which is my uplink interface.<br>> >> ><br>> >> > I though with -i em0 -d 8000 it would listen for traffic passing<br>> > only through em0 and divert them to ipfw.<br>> >> ><br>> >> > Can you please explain if I don't specify an interface with -i em0<br>> > which interface will suricata pick to monitor traffic? Will suricata<br>> > pass all the traffic from<br>> >> > the kernel to the ipfw divert socket with the -d option?<br>> >> ><br>> >> > Many thanks.<br>> >> ><br>> >> > Regards,<br>> >> > Shant K<br>> >> ><br>> >> ><br>> >> > > Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error><br>> > (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]<br>> >> > > From: eleblond@edenwall.com<br>> >> > > To: shant@skylab.ca<br>> >> > > CC: oisf-users@openinfosecfoundation.org<br>> >> > > Date: Fri, 30 Jul 2010 09:17:12 +0200<br>> >> > ><br>> >> > > Hi,<br>> >> > ><br>> >> > > Le vendredi 30 juillet 2010 à 02:56 +0000, Shant Kassardjian a écrit :<br>> >> > > > Hello,<br>> >> > > ><br>> >> > > ><br>> >> > > > I can't seem to start suricata on FreeBSD 8.0<br>> >> > > ><br>> >> > > ><br>> >> > > > I have compiled with ./configure --enable-profiling --enable-ipfw<br>> >> > > ...<br>> >> > > ><br>> >> > > > # suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000<br>> >> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) --<br>> >> > > > This is Suricata version 1.0.1<br>> >> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) --<br>> >> > > > [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run<br>> > mode has<br>> >> > > > been specified<br>> >> > > > ...<br>> >> > > ><br>> >> > > ><br>> >> > > ><br>> >> > > > Any idea what went wrong? error message doesn't say much..<br>> >> > ><br>> >> > > It tell correctly the error ;)<br>> >> > ><br>> >> > > You've runned with options :<br>> >> > > - -i em0 which enable pcap on em0<br>> >> > > - -d 8000 you divert packet from rule 8000<br>> >> > > Thus you've got multiple run mode instead on one. You need to choose<br>> >> > > one.<br>> >> > ><br>> >> > > BR,<br>> >> > > --<br>> >> > > Éric Leblond, eleblond@edenwall.com<br>> >> > > Téléphone : +33 1 40 24 65 04, Fax : +33 9 57 21 48 75<br>> >> > > EdenWall, http://www.edenwall.com<br>> >> ><br>> >> ><br>> >> _______________________________________________<br>> >> Oisf-users mailing list<br>> >> Oisf-users@openinfosecfoundation.org<br>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> > <br>> > <br>> > ------------------------------------------------------------------------<br>> > <br>> > _______________________________________________<br>> > Oisf-users mailing list<br>> > Oisf-users@openinfosecfoundation.org<br>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> <br>> <br>> -- <br>> ---------------------------------------------<br>> Victor Julien<br>> http://www.inliniac.net/<br>> PGP: http://www.inliniac.net/victorjulien.asc<br>> ---------------------------------------------<br>> <br>> _______________________________________________<br>> Oisf-users mailing list<br>> Oisf-users@openinfosecfoundation.org<br>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br> </body>
</html>