[Oisf-users] Errors in Suricata.log - SC_ERR_NUMERIC_VALUE_ERANGE and SC_ERR_INVALID_NUM_BYTES

[Victor Julien]

Hi Eric,

On 08-04-19 22:30, Eric Urban wrote:
> We occasionally have had the following errors in our suricata.log, which
> have always been paired together, and I am having trouble tracking down
> the source of the errors.
> 
> {"timestamp":"2019-04-08T08:47:54.999844-0500","event_type":"engine","engine":{"error_code":62,"error":"SC_ERR_INVALID_NUM_BYTES","message":"Error
> extracting 0 bytes of string data: -1"}}
> {"timestamp":"2019-04-08T08:47:54.999727-0500","event_type":"engine","engine":{"error_code":61,"error":"SC_ERR_NUMERIC_VALUE_ERANGE","message":"Numeric
> value out of range"}}
> 
> We started seeing these after we switched over to using the 4.x rules
> from Emerging Threats from the 3.x set.  
> 
> I tried looking at common alerts during these times, and did find at
> least one, but this particular rule fires often enough that we see a hit
> on it once per second so it seems like it could be a coincidence.
> 
> I am also not sure that there would be an alert logged in the situations
> where we run into these errors since this may prevent a match from
> occurring.
> 
> I looked through the Suricata source code for hints.  I believe this
> would be reached from using the isdataat keyword in rules but am not
> certain that is the only way to reach this.
> 
> Does anyone have suggestions on where to go from here?  I am trying to
> avoid enabling debug across all instances of Suricata we have.

I found a few places in the byte extract and byte jump code that could
trigger this. Testing a fix.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------