[Oisf-devel] AppLayerParse errors

Will Metcalf william.metcalf at gmail.com
Fri Jul 2 15:19:02 UTC 2010


You will probably most likely get these when you first startup the
engine as it will be coming in mid stream on some sessions.  With that
said if you are getting them otherwise we would love to have a look if
you supply us with a pcap.  To log stuff that normally get's logged to
the console you can enable the following in suricata.yaml

  - file:
      enabled: no
      filename: /var/log/suricata.log

to

 - file:
      enabled: yes
      filename: /var/log/suricata.log

guess we should probably change the default log location to something
more appropriate such as /var/log/suricata/suricata.log or something.

Regards,

Will

On Fri, Jul 2, 2010 at 9:56 AM, Peter Bates <p.bates at gold.ac.uk> wrote:
>
> Hello all...
>
> First of all, congratulations on reaching the 1.0.0 milestone.
> The performance (I'm using PF_RING as well) is very impressive.
>
> Running suricata on a live link, I'm seeing a lot of:
>
> [2047] 2/7/2010 -- 15:34:32 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occurred in
> parsing "http" app layer protocol, using network protocol 6, source IP
> address 86.26.169.237, destination IP address 158.223.1.86, src port 62179
> and dst port 80
>
> and
>
> [2047] 2/7/2010 -- 15:38:17 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occurred in
> parsing "tls" app layer protocol, using network protocol 6, source IP
> address 158.223.191.55, destination IP address 209.85.227.97, src port 3282
> and dst port 443
>
> Obviously these messages are by default going to the console, but is it
> possible
> to capture these and some associated pcap files so I can submit them back
> for
> investigation?
>
> --
> Peter Bates, Network Support & Development Officer
> Goldsmiths, University of London
> New Cross, London SE14 6NW. Telephone: 020 7919 7082
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



More information about the Oisf-devel mailing list