Hi,<br><br>The more thorough response will come form the coders but a few questions if I may:<br>1. the stream is just HTTP - correct?<br>2. Does it occur only when gzip is around<br>3. how do you compile Suri and do you have chksms enabled or not in yaml - disabled by default, but just asking?<br>
<br>thank you for your help<br><br><div class="gmail_quote">On Thu, Dec 15, 2011 at 8:49 PM, Christophe Vandeplas <span dir="ltr"><<a href="mailto:christophe@vandeplas.com">christophe@vandeplas.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
As said in a previous mail I have many many HTTP errors "Unable to<br>
match response to request" like the following error:<br>
After analysis I notice that only 20-30% of the whole TCP session is<br>
analyzed and all further HTTP requests in the same TCP session are<br>
simply ignored by Suricata.<br>
<br>
I was able to find the place and partial origin of the error by adding<br>
some breakpoints, but I can't really understand what's happening in<br>
the code.<br>
<br>
Some info about my pcap: The pcap file contains many http requests in<br>
one TCP session.<br>
<br>
The engine steps at the first request, then the response, then the<br>
second request and so on.<br>
Just after a gzipped response (decoded correctly) the next packet<br>
encountered by the engine is not the next request from the pcap, but<br>
it's the response. It seems like the engine is simply skipping this<br>
http request. But as I don't really understand the code yet I don't<br>
understand the cause and can't locate the bug.<br>
<br>
I'm motivated to debug this problem and help find the real origin of<br>
the problem but I really need some guidance/help.<br>
<br>
Thanks for the assistance.<br>
<div class="im HOEnZb"><br>
<br>
On Wed, Dec 14, 2011 at 1:47 PM, Christophe Vandeplas<br>
<<a href="mailto:christophe@vandeplas.com">christophe@vandeplas.com</a>> wrote:<br>
</div><div class="HOEnZb"><div class="h5">> Hello,<br>
><br>
> As I have loads and loads of HTTP (and smtp) parsing errors on my Suricata<br>
> instance I wanted to analyze why they occur and try debugging/solving the<br>
> issue myself. However I'm having a weird behavior with Suricata once I<br>
> enable --enable-debug.<br>
><br>
> I compiled Suricata from the git master repo.<br>
><br>
> I load a PCAP file that throws HTTP parsing errors and get the following<br>
> output.<br>
> I get the same output I run this Suricata in gdb.<br>
> Pcap file contains a single tcp session in 82kB<br>
><br>
> [6659] 14/12/2011 -- 11:18:10 - (source-pcap-file.c:212) <Info><br>
> (ReceivePcapFileThreadInit) -- reading pcap file<br>
> ../proxytraff-error-parsing.pcap<br>
> [2059] 14/12/2011 -- 11:18:10 - (tm-threads.c:1810) <Info><br>
> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 3 management<br>
> threads initialized, engine started.<br>
> [6659] 14/12/2011 -- 11:18:10 - (app-layer-htp.c:550) <Error><br>
> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing<br>
> HTTP server response: [1] [htp_response.c] [677] Unable to match response to<br>
> request<br>
> [6659] 14/12/2011 -- 11:18:10 - (app-layer-parser.c:977) <Error><br>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing<br>
> "http" app layer protocol, using network protocol 6, source IP address<br>
> 10.80.96.37, destination IP address 10.7.108.10, src port 63272 and dst port<br>
> 8080<br>
> [6659] 14/12/2011 -- 11:18:10 - (source-pcap-file.c:189) <Info><br>
> (ReceivePcapFileLoop) -- pcap file end of file reached (pcap err code 0)<br>
><br>
><br>
> When I compile ./configure --enable-debug , and load exactly the same PCAP I<br>
> get the following output:<br>
> (also the same with ./configure --enable-debug --enable-debug-validation )<br>
><br>
> [6659] 14/12/2011 -- 11:24:37 - (source-pcap-file.c:212) <Info><br>
> (ReceivePcapFileThreadInit) -- reading pcap file<br>
> ../proxytraff-error-parsing.pcap<br>
> [2059] 14/12/2011 -- 11:24:37 - (tm-threads.c:1810) <Info><br>
> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 3 management<br>
> threads initialized, engine started.<br>
> Bus error: 10 (core dumped)<br>
><br>
><br>
> Running that DEBUG enabled Suricata in gdb I get (After a first breakpoint<br>
> I 'continue'd )<br>
> [3091] 14/12/2011 -- 11:39:33 - (tm-threads.c:1810) <Info><br>
> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 3 management<br>
> threads initialized, engine started.<br>
><br>
> Program received signal EXC_BAD_ACCESS, Could not access memory.<br>
> Reason: KERN_PROTECTION_FAILURE at address: 0x00000001029920f8<br>
> [Switching to process 93462 thread 0x1a03]<br>
> 0x00000001001b5205 in ?? ()<br>
><br>
> (gdb) bt<br>
> #0 0x00000001001b5205 in ?? ()<br>
> #1 0x00000001001acfb7 in ?? ()<br>
> #2 0x00000001001a5336 in ?? ()<br>
> #3 0x000000010018911a in ?? ()<br>
> #4 0x00000001001906c9 in ?? ()<br>
> #5 0x000000010016ddd7 in ?? ()<br>
> #6 0x000000010017b9ce in ?? ()<br>
> #7 0x00000001001667c0 in ?? ()<br>
> #8 0x000000010014fe72 in ?? ()<br>
> #9 0x00000001000140f3 in ?? ()<br>
> #10 0x000000010034872c in pcap_offline_read ()<br>
> #11 0x0000000100013814 in ?? ()<br>
> #12 0x000000010014e92b in ?? ()<br>
> #13 0x00007fff883548bf in _pthread_start ()<br>
> #14 0x00007fff88357b75 in thread_start ()<br>
><br>
> It's weird that I don't get resolved functions in the backtrace, no?<br>
> Any advice what I should do next?<br>
><br>
> Thanks<br>
> Christophe<br>
</div></div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>