[Oisf-users] Suricata - test rule ignored/not dropping.

Shant Kassardjian shant at skylab.ca
Mon Aug 2 02:49:26 UTC 2010 

I just ran in IDS mode, -i em0, got same error messages, here's the full output:
[100125] 1/8/2010 -- 22:41:19 - (alert-fastlog.c:333) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:365) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144[100167] 1/8/2010 -- 22:41:19 - (source-pcap.c:267) <Info> (ReceivePcapThreadInit) -- using interface em0[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:387) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:394) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:411) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864[100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576[100125] 1/8/2010 -- 22:41:19 - (tm-threads.c:1429) <Info> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management threads initialized, engine started.[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51615 and dst port 80[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51616 and dst port 80[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51621 and dst port 80[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51622 and dst port 80[100170] 1/8/2010 -- 22:41:53 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51617 and dst port 80[100170] 1/8/2010 -- 22:41:54 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51619 and dst port 80[100170] 1/8/2010 -- 22:41:55 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request[100170] 1/8/2010 -- 22:41:55 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51618 and dst port 80

To: shant at skylab.ca; pookme at hotmail.com; oisf-users-bounces at openinfosecfoundation.org; william.metcalf at gmail.com
CC: oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
From: oisf at rogness.net
Date: Mon, 2 Aug 2010 02:37:04 +0000







Looks like a potential bug.  If you run in IDS mode, with -i em0 without the -d 8000, and remove the ipfw rule, does it still produce the error?

Nick


Sent from my BlackBerry Smartphone provided by Alltel
From:  Shant Kassardjian <shant at skylab.ca>
Sender:  <pookme at hotmail.com>
Date: Mon, 2 Aug 2010 02:27:56 +0000To: <oisf at rogness.net>; <oisf-users-bounces at openinfosecfoundation.org>; <william.metcalf at gmail.com>Cc: <oisf-users at openinfosecfoundation.org>Subject: RE: [Oisf-users] Suricata - test rule ignored/not dropping.


Hi Nick,
Yes, I have interfaces (em1, em2, em3,em4, em5) configured under bridge0, plus an em0 interface which is not part of the bridge0 and provides routing for internet connectivity.
here's how the flow occurs:
pc -> birdge0 -> em0 -> internet
My ipfw script is very basic#!/bin/sh
ipfw -q -f flushipfw -q zeroipfw -q resetlog
ipfw add 010 divert 8000 ip from any to any via em0
Configuring the suricata.yml to enable console output to yes, now provides additional details to the error message:

[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing
[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51098 and dst port 80
[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request
[100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51100 and dst port 80
[100185] 1/8/2010 -- 22:11:26 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.238.163, src port 51104 and dst port 80

hope this helps!Shant K

> To: shant at skylab.ca; oisf-users-bounces at openinfosecfoundation.org; william.metcalf at gmail.com
> CC: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
> From: oisf at rogness.net
> Date: Sun, 1 Aug 2010 20:09:25 +0000
> 
> 
> Are you bridging between interfaces?  Does this happen when you are routing versus bridging?
> 
> Nick
> 
> Sent from my BlackBerry Smartphone provided by Alltel
> 
> -----Original Message-----
> From: Shant Kassardjian <shant at skylab.ca>
> Sender: oisf-users-bounces at openinfosecfoundation.org
> Date: Sun, 1 Aug 2010 18:24:32 
> To: <william.metcalf at gmail.com>
> Cc: <oisf-users at openinfosecfoundation.org>
> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
> 
>_______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100802/36400fc3/attachment-0002.html>

More information about the Oisf-users mailing list