<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
To let everyone know, I just sent William twp pcaps, one for the http parser error and the other for the htp mismatch error! hopefully this problem will be identified soon!<div><br></div><div>Best Regards,</div><div>Shant K<br><br>> Date: Mon, 2 Aug 2010 15:00:12 -0500<br>> From: william.metcalf@gmail.com<br>> To: shant@skylab.ca<br>> CC: oisf-users@openinfosecfoundation.org; oisf-users-bounces@openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> <br>> You will most likely see some of these at startup, as the engine will<br>> be coming into some http sessions mid-stream. Do you see this after<br>> initialization? Or is this limited to startup? If it is not limited<br>> to startup if you can provide a pcap to me privately it would be very<br>> helpful. Also this is actually only limited to the "Unable to match<br>> response to request" one. If you could provide a pcap for the other<br>> would be super helpful ;-).<br>> <br>> Regards,<br>> <br>> Will<br>> <br>> On Sun, Aug 1, 2010 at 9:49 PM, Shant Kassardjian <shant@skylab.ca> wrote:<br>> > I just ran in IDS mode, -i em0, got same error messages, here's the full<br>> > output:<br>> > [100125] 1/8/2010 -- 22:41:19 - (alert-fastlog.c:333) <Info><br>> > (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log<br>> > [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:365) <Info><br>> > (StreamTcpInitConfig) -- stream "max_sessions": 262144<br>> > [100167] 1/8/2010 -- 22:41:19 - (source-pcap.c:267) <Info><br>> > (ReceivePcapThreadInit) -- using interface em0<br>> > [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:377) <Info><br>> > (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768<br>> > [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:387) <Info><br>> > (StreamTcpInitConfig) -- stream "memcap": 33554432<br>> > [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:394) <Info><br>> > (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled<br>> > [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:402) <Info><br>> > (StreamTcpInitConfig) -- stream "async_oneside": disabled<br>> > [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:411) <Info><br>> > (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864<br>> > [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:420) <Info><br>> > (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576<br>> > [100125] 1/8/2010 -- 22:41:19 - (tm-threads.c:1429) <Info><br>> > (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management<br>> > threads initialized, engine started.<br>> > [100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error><br>> > (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>> > HTTP client request: [1] [htp_request_generic.c] [150] Request field<br>> > invalid: colon missing<br>> > [100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51615 and dst<br>> > port 80<br>> > [100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error><br>> > (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>> > HTTP client request: [1] [htp_request_generic.c] [150] Request field<br>> > invalid: colon missing<br>> > [100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51616 and dst<br>> > port 80<br>> > [100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error><br>> > (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>> > HTTP client request: [1] [htp_request_generic.c] [150] Request field<br>> > invalid: colon missing<br>> > [100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51621 and dst<br>> > port 80<br>> > [100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error><br>> > (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>> > HTTP client request: [1] [htp_request_generic.c] [150] Request field<br>> > invalid: colon missing<br>> > [100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51622 and dst<br>> > port 80<br>> > [100170] 1/8/2010 -- 22:41:53 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51617 and dst<br>> > port 80<br>> > [100170] 1/8/2010 -- 22:41:54 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51619 and dst<br>> > port 80<br>> > [100170] 1/8/2010 -- 22:41:55 - (app-layer-htp.c:479) <Error><br>> > (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>> > HTTP server response: [1] [htp_response.c] [671] Unable to match response to<br>> > request<br>> > [100170] 1/8/2010 -- 22:41:55 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51618 and dst<br>> > port 80<br>> ><br>> > ________________________________<br>> > To: shant@skylab.ca; pookme@hotmail.com;<br>> > oisf-users-bounces@openinfosecfoundation.org; william.metcalf@gmail.com<br>> > CC: oisf-users@openinfosecfoundation.org<br>> > Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> > From: oisf@rogness.net<br>> > Date: Mon, 2 Aug 2010 02:37:04 +0000<br>> ><br>> > Looks like a potential bug. If you run in IDS mode, with -i em0 without the<br>> > -d 8000, and remove the ipfw rule, does it still produce the error?<br>> ><br>> > Nick<br>> ><br>> ><br>> > Sent from my BlackBerry Smartphone provided by Alltel<br>> > ________________________________<br>> > From: Shant Kassardjian <shant@skylab.ca><br>> > Sender: <pookme@hotmail.com><br>> > Date: Mon, 2 Aug 2010 02:27:56 +0000<br>> > To: <oisf@rogness.net>; <oisf-users-bounces@openinfosecfoundation.org>;<br>> > <william.metcalf@gmail.com><br>> > Cc: <oisf-users@openinfosecfoundation.org><br>> > Subject: RE: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> ><br>> > Hi Nick,<br>> > Yes, I have interfaces (em1, em2, em3,em4, em5) configured under bridge0,<br>> > plus an em0 interface which is not part of the bridge0 and provides routing<br>> > for internet connectivity.<br>> > here's how the flow occurs:<br>> > pc -> birdge0 -> em0 -> internet<br>> > My ipfw script is very basic<br>> > #!/bin/sh<br>> > ipfw -q -f flush<br>> > ipfw -q zero<br>> > ipfw -q resetlog<br>> > ipfw add 010 divert 8000 ip from any to any via em0<br>> > Configuring the suricata.yml to enable console output to yes, now provides<br>> > additional details to the error message:<br>> ><br>> > [100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:391) <Error><br>> > (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>> > HTTP client request: [1] [htp_request_generic.c] [150] Request field<br>> > invalid: colon missing<br>> > [100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51098 and dst<br>> > port 80<br>> > [100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:479) <Error><br>> > (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>> > HTTP server response: [1] [htp_response.c] [671] Unable to match response to<br>> > request<br>> > [100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51100 and dst<br>> > port 80<br>> > [100185] 1/8/2010 -- 22:11:26 - (app-layer-parser.c:931) <Error><br>> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>> > "http" app layer protocol, using network protocol 6, source IP address<br>> > 172.25.1.10, destination IP address 24.200.238.163, src port 51104 and dst<br>> > port 80<br>> ><br>> > hope this helps!<br>> > Shant K<br>> ><br>> >> To: shant@skylab.ca; oisf-users-bounces@openinfosecfoundation.org;<br>> >> william.metcalf@gmail.com<br>> >> CC: oisf-users@openinfosecfoundation.org<br>> >> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> >> From: oisf@rogness.net<br>> >> Date: Sun, 1 Aug 2010 20:09:25 +0000<br>> >><br>> >><br>> >> Are you bridging between interfaces? Does this happen when you are routing<br>> >> versus bridging?<br>> >><br>> >> Nick<br>> >><br>> >> Sent from my BlackBerry Smartphone provided by Alltel<br>> >><br>> >> -----Original Message-----<br>> >> From: Shant Kassardjian <shant@skylab.ca><br>> >> Sender: oisf-users-bounces@openinfosecfoundation.org<br>> >> Date: Sun, 1 Aug 2010 18:24:32<br>> >> To: <william.metcalf@gmail.com><br>> >> Cc: <oisf-users@openinfosecfoundation.org><br>> >> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.<br>> >><br>> >>_______________________________________________<br>> >> Oisf-users mailing list<br>> >> Oisf-users@openinfosecfoundation.org<br>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> >><br>> >><br>> ><br>> _______________________________________________<br>> Oisf-users mailing list<br>> Oisf-users@openinfosecfoundation.org<br>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br></div> </body>
</html>