
Hi,<br>This could very well be the reason.<br>Are there any VLANs involved where the interface where Suricata listens to is not part of those VLANs/VLAN ?<br><br>thanks<br><br><div class="gmail_quote">On Mon, Nov 7, 2011 at 5:23 PM, Peter Bates <span dir="ltr"><<a href="mailto:peter.bates@ucl.ac.uk">peter.bates@ucl.ac.uk</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

</div>Hello all...<br>

<div class="im"><br>

On 07/11/2011 16:11, Shirkdog wrote:<br>

> Can you post the errors to the list as well?<br>

<br>

</div>I'm getting pretty consistent (IP addresses obfuscated):<br>

<br>

[27959] 7/11/2011 -- 16:16:34 - (app-layer-parser.c:969) <Error><br>

(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in<br>

parsing "tls" app layer protocol, using network protocol 6, source IP<br>

address a.b.214.226, destination IP address a.b.111.30, src port 57561<br>

and dst port 443<br>

[27959] 7/11/2011 -- 16:16:34 - (app-layer-htp.c:487) <Error><br>

(HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in<br>

parsing HTTP server response: [1] [htp_response.c] [677] Unable to<br>

match response to request<br>

[27959] 7/11/2011 -- 16:16:34 - (app-layer-parser.c:969) <Error><br>

(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in<br>

parsing "http" app layer protocol, using network protocol 6, source IP<br>

address a.b.214.226, destination IP address a.b.111.30, src port 57562<br>

and dst port 80<br>

[27959] 7/11/2011 -- 16:18:40 - (app-layer-parser.c:969) <Error><br>

(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in<br>

parsing "smtp" app layer protocol, using network protocol 6, source IP<br>

address c.d.241.35, destination IP address a.b.111.57, src port 50156<br>

and dst port 25<br>

<br>

Having a closer look (which I should have done before posting to the<br>

list!) - all the destination IPs throwing errors are in the same /24<br>

which we have for SLB devices - so I think this is the cause of the<br>

errors.<br>

<div class="im"><br>

- --<br>

Peter Bates<br>

Senior Computer Security Officer    Phone: <a href="tel:%2B44%280%292076792049" value="+442076792049">+44(0)2076792049</a><br>

Information Services Division       Internal Ext: 32049<br>

University College London<br>

London WC1E 6BT<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v2.0.17 (MingW32)<br>

Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>

<br>

</div>iQEcBAEBAgAGBQJOuAX1AAoJELhVoVpEMS6RXywH/iiXZLRLSWNyUjOCAzLRGepb<br>

SMlZZ9luTcJfqGTqeATabNXkQ+FBfHz5V15BYy/0dcKdABcZmOkRFT+TpblnGBBV<br>

LqB6TugP+EWQgCqgyLK/XDhMLDOI0O7gEiRmybXrZpv5CQetSNDfUXhx+Sldlxi2<br>

SGHbJTjizaaYHz/o6mVzVk7XQP1eCJdDvuiHMNyzix+k7qdBUuNB/XNJYmeKRiXk<br>

ATBltxIDqQOrpPmkKWhnQHRNsSMbsL9v/yAe4BABq1z8v5BM7T6oSoYZUbTsHvaf<br>

R3ddaO3jknhBz/Lg61Ox8x+C0+Eu4ZSsX5J1nfsM4DoFhf9rlFNpqhVCcROgfpA=<br>

=faQ3<br>

<div><div></div><div class="h5">-----END PGP SIGNATURE-----<br>

<br>

_______________________________________________<br>

Oisf-users mailing list<br>

<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>

<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>

<style>#avg_ls_inline_popup{position:absolute;z-index:9999;padding:0px;margin:0px;overflow:hidden;wordWrap:break-word;color:black;font-size:10px;text-align:left;line-height:130%;}#avg_ls_inline_popup div{border-width:3px;border-style:solid;padding:3px;padding-left:8px;padding-right:8px;-moz-border-radius:5px;-webkit-border-radius:5px;}#avg_ls_inline_popup .red{border-color:#D20003;;background-color:#F5D4C1;;}#avg_ls_inline_popup .orange{border-color:#F57301;;background-color:#FFD3B0;;}#avg_ls_inline_popup .yellow{border-color:#EAA500;;background-color:#FEEFAE;;}#avg_ls_inline_popup .green{border-color:#00A120;;background-color:#C3E5CA;;}</style><div style="visibility: hidden; left: -5000px;" id="avg_ls_inline_popup">

</div>