[Oisf-users] Suricata - test rule ignored/not dropping.
oisf at rogness.net
oisf at rogness.net
Mon Aug 2 02:37:04 UTC 2010
Looks like a potential bug. If you run in IDS mode, with -i em0 without the -d 8000, and remove the ipfw rule, does it still produce the error?
Nick
Sent from my BlackBerry Smartphone provided by Alltel
-----Original Message-----
From: Shant Kassardjian <shant at skylab.ca>
Sender: <pookme at hotmail.com>
Date: Mon, 2 Aug 2010 02:27:56
To: <oisf at rogness.net>; <oisf-users-bounces at openinfosecfoundation.org>; <william.metcalf at gmail.com>
Cc: <oisf-users at openinfosecfoundation.org>
Subject: RE: [Oisf-users] Suricata - test rule ignored/not dropping.
Hi Nick,
Yes, I have interfaces (em1, em2, em3,em4, em5) configured under bridge0, plus an em0 interface which is not part of the bridge0 and provides routing for internet connectivity.
here's how the flow occurs:
pc -> birdge0 -> em0 -> internet
My ipfw script is very basic#!/bin/sh
ipfw -q -f flushipfw -q zeroipfw -q resetlog
ipfw add 010 divert 8000 ip from any to any via em0
Configuring the suricata.yml to enable console output to yes, now provides additional details to the error message:
[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing
[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51098 and dst port 80
[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request
[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51100 and dst port 80
[100185] 1/8/2010 -- 22:11:26 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51104 and dst port 80
hope this helps!Shant K
> To: shant at skylab.ca; oisf-users-bounces at openinfosecfoundation.org; william.metcalf at gmail.com
> CC: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
> From: oisf at rogness.net
> Date: Sun, 1 Aug 2010 20:09:25 +0000
>
>
> Are you bridging between interfaces? Does this happen when you are routing versus bridging?
>
> Nick
>
> Sent from my BlackBerry Smartphone provided by Alltel
>
> -----Original Message-----
> From: Shant Kassardjian <shant at skylab.ca>
> Sender: oisf-users-bounces at openinfosecfoundation.org
> Date: Sun, 1 Aug 2010 18:24:32
> To: <william.metcalf at gmail.com>
> Cc: <oisf-users at openinfosecfoundation.org>
> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
>
>_______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100802/f43f4b8f/attachment-0002.html>
More information about the Oisf-users
mailing list