<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>So its not a bug related to ipfw specifically. Maybe related to freebsd though... You may want to file a bug report.<br/><br/>Nick<br/><br/><p>Sent from my BlackBerry Smartphone provided by Alltel</p><hr/><div><b>From: </b> Shant Kassardjian <shant@skylab.ca>
</div><div><b>Sender: </b> <pookme@hotmail.com>
</div><div><b>Date: </b>Mon, 2 Aug 2010 02:49:26 +0000</div><div><b>To: </b><oisf@rogness.net>; <oisf-users-bounces@openinfosecfoundation.org>; <william.metcalf@gmail.com></div><div><b>Cc: </b><oisf-users@openinfosecfoundation.org></div><div><b>Subject: </b>RE: [Oisf-users] Suricata - test rule ignored/not dropping.</div><div><br/></div>
I just ran in IDS mode, -i em0, got same error messages, here's the full output:<div><br></div><div><div>[100125] 1/8/2010 -- 22:41:19 - (alert-fastlog.c:333) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:365) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144</div><div><b>[100167] 1/8/2010 -- 22:41:19 - (source-pcap.c:267) <Info> (ReceivePcapThreadInit) -- using interface em0</b></div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:387) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:394) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:411) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864</div><div>[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576</div><div>[100125] 1/8/2010 -- 22:41:19 - (tm-threads.c:1429) <Info> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management threads initialized, engine started.</div><div><b>[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div><div>[100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51615 and dst port 80</div><div><b>[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div><div>[100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51616 and dst port 80</div><div><b>[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div><div>[100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51621 and dst port 80</div><div><b>[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div><div>[100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51622 and dst port 80</div><div>[100170] 1/8/2010 -- 22:41:53 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51617 and dst port 80</div><div>[100170] 1/8/2010 -- 22:41:54 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51619 and dst port 80</div><div><b><font class="Apple-style-span" color="#FF0000">[100170] 1/8/2010 -- 22:41:55 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request</font></b></div><div>[100170] 1/8/2010 -- 22:41:55 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51618 and dst port 80</div><div><br></div><div><br><hr id="stopSpelling">To: shant@skylab.ca; pookme@hotmail.com; oisf-users-bounces@openinfosecfoundation.org; william.metcalf@gmail.com<br>CC: oisf-users@openinfosecfoundation.org<br>Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>From: oisf@rogness.net<br>Date: Mon, 2 Aug 2010 02:37:04 +0000<br><br>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
</style>
Looks like a potential bug. If you run in IDS mode, with -i em0 without the -d 8000, and remove the ipfw rule, does it still produce the error?<br><br>Nick<br><br><br>Sent from my BlackBerry Smartphone provided by Alltel<BR><hr><div><b>From: </b> Shant Kassardjian <shant@skylab.ca>
</div><div><b>Sender: </b> <pookme@hotmail.com>
</div><div><b>Date: </b>Mon, 2 Aug 2010 02:27:56 +0000</div><div><b>To: </b><oisf@rogness.net>; <oisf-users-bounces@openinfosecfoundation.org>; <william.metcalf@gmail.com></div><div><b>Cc: </b><oisf-users@openinfosecfoundation.org></div><div><b>Subject: </b>RE: [Oisf-users] Suricata - test rule ignored/not dropping.</div><div><br></div>
<div><br></div><div>Hi Nick,</div><div><br></div><div>Yes, I have interfaces (em1, em2, em3,em4, em5) configured under bridge0, plus an em0 interface which is not part of the bridge0 and provides routing for internet connectivity.</div><div><br></div><div>here's how the flow occurs:</div><div><br></div><div>pc -> birdge0 -> em0 -> internet</div><div><br></div><div>My ipfw script is very basic</div><div><div>#!/bin/sh</div><div><br></div><div>ipfw -q -f flush</div><div>ipfw -q zero</div><div>ipfw -q resetlog</div><div><br></div><div>ipfw add 010 divert 8000 ip from any to any via em0</div></div><div><br></div><div>Configuring the suricata.yml to enable console output to yes, now provides additional details to the error message:</div><div><br></div><div><br></div><div><div><b>[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing</b></div><div><br></div><div>[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51098 and dst port 80</div><div><br></div><div><b>[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request</b></div><div><br></div><div>[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51100 and dst port 80</div><div><br></div><div>[100185] 1/8/2010 -- 22:11:26 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51104 and dst port 80</div></div><div><br></div><div><br></div>hope this helps!<div>Shant K<br><br>> To: shant@skylab.ca; oisf-users-bounces@openinfosecfoundation.org; william.metcalf@gmail.com<br>> CC: oisf-users@openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> From: oisf@rogness.net<br>> Date: Sun, 1 Aug 2010 20:09:25 +0000<br>> <br>> <br>> Are you bridging between interfaces? Does this happen when you are routing versus bridging?<br>> <br>> Nick<br>> <br>> Sent from my BlackBerry Smartphone provided by Alltel<br>> <br>> -----Original Message-----<br>> From: Shant Kassardjian <shant@skylab.ca><br>> Sender: oisf-users-bounces@openinfosecfoundation.org<br>> Date: Sun, 1 Aug 2010 18:24:32 <br>> To: <william.metcalf@gmail.com><br>> Cc: <oisf-users@openinfosecfoundation.org><br>> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> <br>>_______________________________________________<br>> Oisf-users mailing list<br>> Oisf-users@openinfosecfoundation.org<br>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> <br>> <br></div></div></div>                                            </body>
</html>