<div dir="ltr">If you see up, I had the same error, in UBUNTU.<br><br><div class="gmail_quote">2010/8/2 <span dir="ltr"><<a href="mailto:oisf@rogness.net">oisf@rogness.net</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>So its not a bug related to ipfw specifically. Maybe related to freebsd though... You may want to file a bug report.<div class="im"><br><br>Nick<br><br><p>Sent from my BlackBerry Smartphone provided by Alltel</p><hr>
<div><b>From: </b> Shant Kassardjian <<a href="mailto:shant@skylab.ca" target="_blank">shant@skylab.ca</a>>
</div><div><b>Sender: </b> <<a href="mailto:pookme@hotmail.com" target="_blank">pookme@hotmail.com</a>>
</div></div><div><b>Date: </b>Mon, 2 Aug 2010 02:49:26 +0000</div><div><div></div><div class="h5"><div><b>To: </b><<a href="mailto:oisf@rogness.net" target="_blank">oisf@rogness.net</a>>; <<a href="mailto:oisf-users-bounces@openinfosecfoundation.org" target="_blank">oisf-users-bounces@openinfosecfoundation.org</a>>; <<a href="mailto:william.metcalf@gmail.com" target="_blank">william.metcalf@gmail.com</a>></div>
<div><b>Cc: </b><<a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>></div><div><b>Subject: </b>RE: [Oisf-users] Suricata - test rule ignored/not dropping.</div>
<div><br></div>
I just ran in IDS mode, -i em0, got same error messages, here's the full output:<div><br></div><div><div>[100125] 1/8/2010 -- 22:41:19 - (alert-fastlog.c:333) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log</div>
<div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:365) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144</div><div><b>[100167] 1/8/2010 -- 22:41:19 - (source-pcap.c:267) <Info> (ReceivePcapThreadInit) -- using interface em0</b></div>
<div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:387) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432</div>
<div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:394) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled</div>
<div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:411) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576</div>
<div>[100125] 1/8/2010 -- 22:41:19 - (tm-threads.c:1429) <Info> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management threads initialized, engine started.</div><div><b>[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div>
<div>[100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51615 and dst port 80</div>
<div><b>[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div>
<div>[100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51616 and dst port 80</div>
<div><b>[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div>
<div>[100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51621 and dst port 80</div>
<div><b>[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div>
<div>[100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51622 and dst port 80</div>
<div>[100170] 1/8/2010 -- 22:41:53 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51617 and dst port 80</div>
<div>[100170] 1/8/2010 -- 22:41:54 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51619 and dst port 80</div>
<div><b><font color="#ff0000">[100170] 1/8/2010 -- 22:41:55 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request</font></b></div>
<div>[100170] 1/8/2010 -- 22:41:55 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51618 and dst port 80</div>
<div><br></div><div><br><hr>To: <a href="mailto:shant@skylab.ca" target="_blank">shant@skylab.ca</a>; <a href="mailto:pookme@hotmail.com" target="_blank">pookme@hotmail.com</a>; <a href="mailto:oisf-users-bounces@openinfosecfoundation.org" target="_blank">oisf-users-bounces@openinfosecfoundation.org</a>; <a href="mailto:william.metcalf@gmail.com" target="_blank">william.metcalf@gmail.com</a><br>
CC: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>From: <a href="mailto:oisf@rogness.net" target="_blank">oisf@rogness.net</a><br>
Date: Mon, 2 Aug 2010 02:37:04 +0000<br><br>
Looks like a potential bug. If you run in IDS mode, with -i em0 without the -d 8000, and remove the ipfw rule, does it still produce the error?<br><br>Nick<br><br><br>Sent from my BlackBerry Smartphone provided by Alltel<br>
<hr><div><b>From: </b> Shant Kassardjian <<a href="mailto:shant@skylab.ca" target="_blank">shant@skylab.ca</a>>
</div><div><b>Sender: </b> <<a href="mailto:pookme@hotmail.com" target="_blank">pookme@hotmail.com</a>>
</div><div><b>Date: </b>Mon, 2 Aug 2010 02:27:56 +0000</div><div><b>To: </b><<a href="mailto:oisf@rogness.net" target="_blank">oisf@rogness.net</a>>; <<a href="mailto:oisf-users-bounces@openinfosecfoundation.org" target="_blank">oisf-users-bounces@openinfosecfoundation.org</a>>; <<a href="mailto:william.metcalf@gmail.com" target="_blank">william.metcalf@gmail.com</a>></div>
<div><b>Cc: </b><<a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>></div><div><b>Subject: </b>RE: [Oisf-users] Suricata - test rule ignored/not dropping.</div>
<div><br></div>
<div><br></div><div>Hi Nick,</div><div><br></div><div>Yes, I have interfaces (em1, em2, em3,em4, em5) configured under bridge0, plus an em0 interface which is not part of the bridge0 and provides routing for internet connectivity.</div>
<div><br></div><div>here's how the flow occurs:</div><div><br></div><div>pc -> birdge0 -> em0 -> internet</div><div><br></div><div>My ipfw script is very basic</div><div><div>#!/bin/sh</div><div><br></div><div>
ipfw -q -f flush</div><div>ipfw -q zero</div><div>ipfw -q resetlog</div><div><br></div><div>ipfw add 010 divert 8000 ip from any to any via em0</div></div><div><br></div><div>Configuring the suricata.yml to enable console output to yes, now provides additional details to the error message:</div>
<div><br></div><div><br></div><div><div><b>[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div>
<div><br></div><div>[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51098 and dst port 80</div>
<div><br></div><div><b>[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request</b></div>
<div><br></div><div>[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51100 and dst port 80</div>
<div><br></div><div>[100185] 1/8/2010 -- 22:11:26 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51104 and dst port 80</div>
</div><div><br></div><div><br></div>hope this helps!<div>Shant K<br><br>> To: <a href="mailto:shant@skylab.ca" target="_blank">shant@skylab.ca</a>; <a href="mailto:oisf-users-bounces@openinfosecfoundation.org" target="_blank">oisf-users-bounces@openinfosecfoundation.org</a>; <a href="mailto:william.metcalf@gmail.com" target="_blank">william.metcalf@gmail.com</a><br>
> CC: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> From: <a href="mailto:oisf@rogness.net" target="_blank">oisf@rogness.net</a><br>
> Date: Sun, 1 Aug 2010 20:09:25 +0000<br>> <br>> <br>> Are you bridging between interfaces? Does this happen when you are routing versus bridging?<br>> <br>> Nick<br>> <br>> Sent from my BlackBerry Smartphone provided by Alltel<br>
> <br>> -----Original Message-----<br>> From: Shant Kassardjian <<a href="mailto:shant@skylab.ca" target="_blank">shant@skylab.ca</a>><br>> Sender: <a href="mailto:oisf-users-bounces@openinfosecfoundation.org" target="_blank">oisf-users-bounces@openinfosecfoundation.org</a><br>
> Date: Sun, 1 Aug 2010 18:24:32 <br>> To: <<a href="mailto:william.metcalf@gmail.com" target="_blank">william.metcalf@gmail.com</a>><br>> Cc: <<a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>><br>
> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> <br>>_______________________________________________<br>> Oisf-users mailing list<br>> <a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>> <br>> <br></div></div></div> </div>
</div></div>
<br>_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br></blockquote></div><br></div>