<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<div>Hi will,</div><div><br></div><div>Here are all of my config:</div><div><br></div><div>[IPFW script]</div><div>#!/bin/sh</div><div><br></div><div>ipfw -q -f flush</div><div>ipfw -q zero</div><div>ipfw -q resetlog</div><div><br></div><div>ipfw add 010 divert 8000 ip from any to any via em0</div><div><br></div><div>[Kernel compiled with]</div><div><div>options DUMMYNET</div><div>options IPDIVERT</div><div>options IPFIREWALL</div><div>options LIBALIAS</div><div>options IPFIREWALL_NAT</div><div>options IPFIREWALL_FORWARD</div><div>options IPFIREWALL_VERBOSE</div><div>options IPFIREWALL_VERBOSE_LIMIT=5</div><div>options IPFIREWALL_DEFAULT_TO_ACCEPT</div></div><div><br></div><div>[Sysctl]</div><div><div>net.link.bridge.ipfw=1</div><div>net.inet.ip.fw.one_pass=0</div></div><div>net.bpf.zerocopy_enable=1</div><div><br></div><div>[My Suricata yaml config]</div><div><div>core# cat suricata.old /usr/local/etc/suricata</div><div>%YAML 1.1</div><div>---</div><div><br></div><div>max-pending-packets: 50</div><div><br></div><div>action-order:</div><div> - pass</div><div> - drop</div><div> - reject</div><div> - alert</div><div><br></div><div><br></div><div>default-log-dir: /var/log/</div><div><br></div><div>outputs:</div><div> - fast:</div><div> enabled: yes</div><div> filename: fast.log</div><div><br></div><div> - http-log:</div><div> enabled: no</div><div> filename: http.log</div><div><br></div><div><br></div><div><br></div><div>defrag:</div><div> max-frags: 65535</div><div> prealloc: yes</div><div> timeout: 60</div><div><br></div><div># threshold-file: /etc/suricata/threshold.config</div><div><br></div><div># The detection engine builds internal groups of signatures. The engine</div><div># allow us to specify the profile to use for them, to manage memory on an</div><div># efficient way keeping a good performance. For the profile keyword you</div><div>#Â can use the words "low", "medium", "high" or "custom". If you use custom</div><div># make sure to define the values at "- custom-values" as your convenience.</div><div># Usually you would prefer medium/high/low</div><div>detect-engine:</div><div> - profile: high</div><div> - custom-values:</div><div> toclient_src_groups: 2</div><div> toclient_dst_groups: 2</div><div> toclient_sp_groups: 2</div><div> toclient_dp_groups: 3</div><div> toserver_src_groups: 2</div><div> toserver_dst_groups: 4</div><div> toserver_sp_groups: 2</div><div> toserver_dp_groups: 25</div><div><br></div><div>threading:</div><div> set_cpu_affinity: no</div><div> detect_thread_ratio: 1.5</div><div><br></div><div># Select the multi pattern algorithm you want to run for scan/search the</div><div># in the engine. The supported algorithms are b2g, b3g and wumanber.</div><div>#</div><div>mpm-algo: b2g</div><div><br></div><div>pattern-matcher:</div><div> - b2g:</div><div> scan_algo: B2gScanBNDMq</div><div> search_algo: B2gSearchBNDMq</div><div> hash_size: low</div><div> bf_size: medium</div><div># - b3g:</div><div># scan_algo: B3gScanBNDMq</div><div># search_algo: B3gSearchBNDMq</div><div># hash_size: low</div><div># bf_size: medium</div><div># - wumanber:</div><div># hash_size: low</div><div># bf_size: medium</div><div><br></div><div>flow:</div><div> memcap: 33554432</div><div> hash_size: 65536</div><div> prealloc: 10000</div><div> emergency_recovery: 30</div><div> prune_flows: 5</div><div><br></div><div>flow-timeouts:</div><div><br></div><div> default:</div><div> new: 30</div><div> established: 300</div><div> closed: 0</div><div> emergency_new: 10</div><div> emergency_established: 100</div><div> emergency_closed: 0</div><div> tcp:</div><div> new: 60</div><div> established: 3600</div><div> closed: 120</div><div> emergency_new: 10</div><div> emergency_established: 300</div><div> emergency_closed: 20</div><div> udp:</div><div> new: 30</div><div> established: 300</div><div> emergency_new: 10</div><div> emergency_established: 100</div><div> icmp:</div><div> new: 30</div><div> established: 300</div><div> emergency_new: 10</div><div> emergency_established: 100</div><div><br></div><div>stream:</div><div> memcap: 33554432 # 32mb tcp session memcap</div><div> max_sessions: 262144 # 256k concurrent sessions</div><div> prealloc_sessions: 32768 # 32k sessions prealloc'd</div><div> midstream: false # don't allow midstream session pickups</div><div> async_oneside: false # don't enable async stream handling</div><div> reassembly:</div><div> memcap: 67108864 # 64mb tcp reassembly memcap</div><div> depth: 1048576 # 1 MB reassembly depth</div><div><br></div><div>logging:</div><div> default-log-level: info</div><div> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "</div><div> default-output-filter:</div><div><br></div><div> outputs:</div><div> - console:</div><div> enabled: no</div><div> - file:</div><div> enabled: yes</div><div> filename: /var/log/suricata.log</div><div> - syslog:</div><div> enabled: no</div><div> facility: local5</div><div> format: "[%i] <%d> -- "</div><div><br></div><div>ipfw:</div><div><br></div><div> ipfw-reinjection-rule-number: 011</div><div><br></div><div>default-rule-path: /usr/local/etc/suricata/rules/</div><div>rule-files:</div><div># - attack-responses.rules</div><div># - backdoor.rules</div><div># - bad-traffic.rules</div><div># - chat.rules</div><div># - ddos.rules</div><div># - deleted.rules</div><div># - dns.rules</div><div># - dos.rules</div><div># - experimental.rules</div><div># - exploit.rules</div><div># - finger.rules</div><div># - ftp.rules</div><div># - icmp-info.rules</div><div># - icmp.rules</div><div># - imap.rules</div><div># - info.rules</div><div> - local.rules</div><div># - misc.rules</div><div># - multimedia.rules</div><div># - mysql.rules</div><div># - netbios.rules</div><div># - nntp.rules</div><div># - oracle.rules</div><div># - other-ids.rules</div><div># - p2p.rules</div><div># - policy.rules</div><div># - pop2.rules</div><div># - pop3.rules</div><div># - porn.rules</div><div># - rpc.rules</div><div># - rservices.rules</div><div># - scada.rules</div><div># - scan.rules</div><div># - shellcode.rules</div><div># - smtp.rules</div><div># - snmp.rules</div><div># - specific-threats.rules</div><div># - spyware-put.rules</div><div># - sql.rules</div><div># - telnet.rules</div><div># - tftp.rules</div><div># - virus.rules</div><div># - voip.rules</div><div># - web-activex.rules</div><div># - web-attacks.rules</div><div># - web-cgi.rules</div><div># - web-client.rules</div><div># - web-coldfusion.rules</div><div># - web-frontpage.rules</div><div># - web-iis.rules</div><div># - web-misc.rules</div><div># - web-php.rules</div><div># - x11.rules</div><div># - emerging-attack_response.rules</div><div># - emerging-dos.rules</div><div># - emerging-exploit.rules</div><div># - emerging-game.rules</div><div># - emerging-inappropriate.rules</div><div># - emerging-malware.rules</div><div># - emerging-p2p.rules</div><div># - emerging-policy.rules</div><div># - emerging-scan.rules</div><div># - emerging-virus.rules</div><div># - emerging-voip.rules</div><div># - emerging-web.rules</div><div># - emerging-web_client.rules</div><div># - emerging-web_server.rules</div><div># - emerging-web_specific_apps.rules</div><div># - emerging-user_agents.rules</div><div># - emerging-current_events.rules</div><div><br></div><div>classification-file: /usr/local/etc/suricata/classification.config</div><div><br></div><div>vars:</div><div><br></div><div> address-groups:</div><div><br></div><div> HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"</div><div> EXTERNAL_NET: any</div><div> HTTP_SERVERS: "$HOME_NET"</div><div> SMTP_SERVERS: "$HOME_NET"</div><div> SQL_SERVERS: "$HOME_NET"</div><div> DNS_SERVERS: "$HOME_NET"</div><div> TELNET_SERVERS: "$HOME_NET"</div><div> AIM_SERVERS: any</div><div><br></div><div> port-groups:</div><div> HTTP_PORTS: "80"</div><div> SHELLCODE_PORTS: "!80"</div><div> ORACLE_PORTS: 1521</div><div> SSH_PORTS: 22</div><div><br></div><div># Host specific policies for defragmentation and TCP stream</div><div># reassembly. The host OS lookup is done using a radix tree, just</div><div># like a routing table so the most specific entry matches.</div><div>host-os-policy:</div><div> # Make the default policy windows.</div><div> windows: [0.0.0.0/0]</div><div> bsd: []</div><div> bsd_right: []</div><div> old_linux: []</div><div> linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]</div><div> old_solaris: []</div><div> solaris: ["::1"]</div><div> hpux10: []</div><div> hpux11: []</div><div> irix: []</div><div> macos: []</div><div> vista: []</div><div> windows2k3: []</div><div><br></div><div>###########################################################################</div><div># Configure libhtp.</div><div>#</div><div>#</div><div># default-config: Used when no server-config matches</div><div># personality: List of personalities used by default</div><div>#</div><div># server-config: List of server configurations to use if address matches</div><div># address: List of ip addresses or networks for this block</div><div># personalitiy: List of personalities used by this block</div><div>#</div><div># Currently Available Personalities:</div><div># Minimal</div><div># Generic</div><div># IDS (default)</div><div># IIS_4_0</div><div># IIS_5_0</div><div># IIS_5_1</div><div># IIS_6_0</div><div># IIS_7_0</div><div># IIS_7_5</div><div># Apache</div><div># Apache_2_2</div><div>###########################################################################</div><div>libhtp:</div><div><br></div><div> default-config:</div><div> personality: IDS</div><div><br></div><div> server-config:</div><div><br></div><div> - apache:</div><div> address: [192.168.1.0/24, 127.0.0.0/8, "::1"]</div><div> personality: Apache_2_2</div><div><br></div><div> - iis7:</div><div> address:</div><div> - 192.168.0.0/24</div><div> - 192.168.10.0/24</div><div> personality: IIS_7_0</div><div><br></div><div>profiling:</div><div><br></div><div> rules:</div><div><br></div><div> enabled: yes</div><div><br></div><div> # Sort options: ticks, avgticks, checks, matches</div><div> sort: avgticks</div><div><br></div><div> # Limit the number of items printed at exit.</div><div> limit: 100</div></div><div><br></div><div><br></div><div>[Console Error while visiting www.engadget.com]</div><div><div>[100186] 1/8/2010 -- 14:12:55 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1</div><div>[100186] 1/8/2010 -- 14:12:55 - (util-cpu.c:167) <Info> (UtilCpuPrintSummary) -- CPUs Summary:</div><div>[100186] 1/8/2010 -- 14:12:55 - (util-cpu.c:169) <Info> (UtilCpuPrintSummary) -- CPUs online: 2</div><div>[100186] 1/8/2010 -- 14:12:55 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs configured 2</div><div>Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"</div><div>[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertFastLog" registered.</div><div>[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertDebugLog" registered.</div><div>[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedLog" registered.</div><div>[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedAlert" registered.</div><div>[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "Unified2Alert" registered.</div><div>[100186] 1/8/2010 -- 14:12:56 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "LogHttpLog" registered.</div><div>[100186] 1/8/2010 -- 14:12:56 - (suricata.c:997) <Info> (main) -- preallocated 50 packets. Total memory 4016400</div><div>[100186] 1/8/2010 -- 14:12:56 - (flow.c:746) <Info> (FlowInitConfig) -- initializing flow engine...</div><div>[100186] 1/8/2010 -- 14:12:56 - (flow.c:833) <Info> (FlowInitConfig) -- allocated 1048576 bytes of memory for the flow hash... 65536 buckets of size 16</div><div>[100186] 1/8/2010 -- 14:12:56 - (flow.c:852) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 248</div><div>[100186] 1/8/2010 -- 14:12:56 - (flow.c:854) <Info> (FlowInitConfig) -- flow memory usage: 3528576 bytes, maximum: 33554432</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:387) <Info> (SigLoadSignatures) -- 1 rule files processed. 7 rules succesfully loaded, 0 rules failed</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect-engine-sigorder.c:829) <Info> (SCSigOrderSignatures) -- ordering signatures in memory</div><div>SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 8</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect-engine-sigorder.c:870) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 8</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:1480) <Info> (SigAddressPrepareStage1) -- 8 signatures processed. 0 are IP-only rules, 5 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:1483) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:1968) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address lists...</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2037) <Info> (SigAddressPrepareStage2) -- 8 total signatures:</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2058) <Info> (SigAddressPrepareStage2) -- TCP Source address blocks: any: 1, ipv4: 9, ipv6: 1.</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2078) <Info> (SigAddressPrepareStage2) -- UDP Source address blocks: any: 2, ipv4: 14, ipv6: 2.</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2098) <Info> (SigAddressPrepareStage2) -- ICMP Source address blocks: any: 2, ipv4: 2, ipv6: 2.</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2102) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... done</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2681) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists...</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2764) <Info> (SigAddressPrepareStage3) -- MPM memory 290983 (dynamic 290343, ctxs 640, avg per ctx 15281)</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2766) <Info> (SigAddressPrepareStage3) -- max sig id 8, array size 2</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2767) <Info> (SigAddressPrepareStage3) -- signature group heads: unique 15, copies 94.</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2769) <Info> (SigAddressPrepareStage3) -- MPM instances: 19 unique, copies 11 (none 0).</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2771) <Info> (SigAddressPrepareStage3) -- MPM (URI) instances: 1 unique, copies 14 (none 0).</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2772) <Info> (SigAddressPrepareStage3) -- MPM max patcnt 3, avg 0</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2775) <Info> (SigAddressPrepareStage3) -- port maxgroups: 40, avg 21, tot 525</div><div>[100186] 1/8/2010 -- 14:12:56 - (detect.c:2776) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... done</div><div>[100186] 1/8/2010 -- 14:12:56 - (util-profiling.c:311) <Info> (SCProfilingInitRuleCounters) -- Registered 8 rule profiling counters.</div><div><br></div><div>[100186] 1/8/2010 -- 14:12:56 - (util-threshold-config.c:104) <Error> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory</div><div>[100186] 1/8/2010 -- 14:12:56 - (alert-fastlog.c:333) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log</div><div>[100125] 1/8/2010 -- 14:12:56 - (source-ipfw.c:302) <Info> (ReceiveIPFWThreadInit) -- Using IPFW divert port 8000</div><div>[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:365) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144</div><div>[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768</div><div>[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:387) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432</div><div>[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:394) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled</div><div>[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled</div><div>[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:411) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864</div><div>[100186] 1/8/2010 -- 14:12:56 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576</div><div>[100186] 1/8/2010 -- 14:12:56 - (tm-threads.c:1429) <Info> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 3 management threads initialized, engine started.</div><div>[100154] 1/8/2010 -- 14:14:27 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 64.12.173.101, src port 49459 and dst port 80</div><div>[100154] 1/8/2010 -- 14:15:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 64.12.173.101, src port 49491 and dst port 80</div></div><div><br></div><div><br></div><br><hr id="stopSpelling">From: william.metcalf@gmail.com<br>Date: Sun, 1 Aug 2010 08:54:24 -0500<br>To: shant@skylab.ca<br>CC: oisf-users@openinfosecfoundation.org<br>Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br><br><div>Can you show us your ipfw rules?</div><div><br></div><div>Regards,</div><div><br></div><div>Will<br><br>Sent from my iPhone</div><div><br>On Aug 1, 2010, at 12:30 AM, Shant Kassardjian <<a href="mailto:shant@skylab.ca">shant@skylab.ca</a>> wrote:<br><br></div><div></div><blockquote><div><div>Let's wait and see what the dev team has to say, it looks like a bug to me.</div><div><br></div><div>It's great to see I'm not the only one with this problem.</div><div><br>Sent from my iPad</div><div><br>On 2010-07-31, at 6:07 PM, "Anas.B" <<a href="mailto:a.bouhsaina@gmail.com"></a><a href="mailto:a.bouhsaina@gmail.com">a.bouhsaina@gmail.com</a>> wrote:<br><br></div><div></div><blockquote><div><div dir="ltr">No reply ? any suggestions !!!<br><br><span style="background-color:rgb(255, 255, 255);color:rgb(204, 204, 204)">A...</span><br><br><div class="ecxgmail_quote">2010/7/29 Anas.B <span dir="ltr"><<a href="mailto:a.bouhsaina@gmail.com"></a><a href="mailto:a.bouhsaina@gmail.com"></a><a href="mailto:a.bouhsaina@gmail.com">a.bouhsaina@gmail.com</a>></span><br>
<blockquote class="ecxgmail_quote" style="padding-left:1ex"><div dir="ltr">I had this in the CLI,<br><br>[2115] 29/7/2010 -- 09:37:06 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request<br>
[2115] 29/7/2010 -- 09:37:06 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.20.80.100, destination IP address 66.249.92.104, src port 1425 and dst port 80<br>
<br>is it a bug !!?<br></div>
</blockquote></div><br></div>
</div></blockquote><blockquote><div><span>_______________________________________________</span><br><span>Oisf-users mailing list</span><br><span><a href="mailto:Oisf-users@openinfosecfoundation.org"></a><a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a></span><br><span><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank"></a><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br></div></blockquote></div></blockquote><blockquote><div><span>_______________________________________________</span><br><span>Oisf-users mailing list</span><br><span><a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a></span><br><span><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br></div></blockquote><br>_______________________________________________
Oisf-users mailing list
Oisf-users@openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users </body>
</html>