[Oisf-users] Suricata - test rule ignored/not dropping.

Anas.B a.bouhsaina at gmail.com
Mon Aug 2 15:02:33 UTC 2010 

If you see up, I had the same error,  in UBUNTU.

2010/8/2 <oisf at rogness.net>

> So its not a bug related to ipfw specifically. Maybe related to freebsd
> though... You may want to file a bug report.
>
>
> Nick
>
> Sent from my BlackBerry Smartphone provided by Alltel
> ------------------------------
> *From: * Shant Kassardjian <shant at skylab.ca>
> *Sender: * <pookme at hotmail.com>
> *Date: *Mon, 2 Aug 2010 02:49:26 +0000
> *To: *<oisf at rogness.net>; <oisf-users-bounces at openinfosecfoundation.org>;
> <william.metcalf at gmail.com>
> *Cc: *<oisf-users at openinfosecfoundation.org>
> *Subject: *RE: [Oisf-users] Suricata - test rule ignored/not dropping.
>
> I just ran in IDS mode, -i em0, got same error messages, here's the full
> output:
>
> [100125] 1/8/2010 -- 22:41:19 - (alert-fastlog.c:333) <Info>
> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:365) <Info>
> (StreamTcpInitConfig) -- stream "max_sessions": 262144
> *[100167] 1/8/2010 -- 22:41:19 - (source-pcap.c:267) <Info>
> (ReceivePcapThreadInit) -- using interface em0*
> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:377) <Info>
> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:387) <Info>
> (StreamTcpInitConfig) -- stream "memcap": 33554432
> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:394) <Info>
> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:402) <Info>
> (StreamTcpInitConfig) -- stream "async_oneside": disabled
> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:411) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> [100125] 1/8/2010 -- 22:41:19 - (stream-tcp.c:420) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> [100125] 1/8/2010 -- 22:41:19 - (tm-threads.c:1429) <Info>
> (TmThreadWaitOnThreadInit) -- all 7 packet processing threads, 3 management
> threads initialized, engine started.
> *[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error>
> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP client request: [1] [htp_request_generic.c] [150] Request field
> invalid: colon missing*
> [100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51615 and dst
> port 80
> *[100170] 1/8/2010 -- 22:41:51 - (app-layer-htp.c:391) <Error>
> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP client request: [1] [htp_request_generic.c] [150] Request field
> invalid: colon missing*
> [100170] 1/8/2010 -- 22:41:51 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51616 and dst
> port 80
> *[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error>
> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP client request: [1] [htp_request_generic.c] [150] Request field
> invalid: colon missing*
> [100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51621 and dst
> port 80
> *[100170] 1/8/2010 -- 22:41:52 - (app-layer-htp.c:391) <Error>
> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP client request: [1] [htp_request_generic.c] [150] Request field
> invalid: colon missing*
> [100170] 1/8/2010 -- 22:41:52 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51622 and dst
> port 80
> [100170] 1/8/2010 -- 22:41:53 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51617 and dst
> port 80
> [100170] 1/8/2010 -- 22:41:54 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51619 and dst
> port 80
> *[100170] 1/8/2010 -- 22:41:55 - (app-layer-htp.c:479) <Error>
> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP server response: [1] [htp_response.c] [671] Unable to match response to
> request*
> [100170] 1/8/2010 -- 22:41:55 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51618 and dst
> port 80
>
>
> ------------------------------
> To: shant at skylab.ca; pookme at hotmail.com;
> oisf-users-bounces at openinfosecfoundation.org; william.metcalf at gmail.com
> CC: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
> From: oisf at rogness.net
> Date: Mon, 2 Aug 2010 02:37:04 +0000
>
> Looks like a potential bug. If you run in IDS mode, with -i em0 without the
> -d 8000, and remove the ipfw rule, does it still produce the error?
>
> Nick
>
>
> Sent from my BlackBerry Smartphone provided by Alltel
> ------------------------------
> *From: * Shant Kassardjian <shant at skylab.ca>
> *Sender: * <pookme at hotmail.com>
> *Date: *Mon, 2 Aug 2010 02:27:56 +0000
> *To: *<oisf at rogness.net>; <oisf-users-bounces at openinfosecfoundation.org>;
> <william.metcalf at gmail.com>
> *Cc: *<oisf-users at openinfosecfoundation.org>
> *Subject: *RE: [Oisf-users] Suricata - test rule ignored/not dropping.
>
>
> Hi Nick,
>
> Yes, I have interfaces (em1, em2, em3,em4, em5) configured under bridge0,
> plus an em0 interface which is not part of the bridge0 and provides routing
> for internet connectivity.
>
> here's how the flow occurs:
>
> pc -> birdge0 -> em0 -> internet
>
> My ipfw script is very basic
> #!/bin/sh
>
> ipfw -q -f flush
> ipfw -q zero
> ipfw -q resetlog
>
> ipfw add 010 divert 8000 ip from any to any via em0
>
> Configuring the suricata.yml to enable console output to yes, now provides
> additional details to the error message:
>
>
> *[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:391) <Error>
> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP client request: [1] [htp_request_generic.c] [150] Request field
> invalid: colon missing*
>
> [100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51098 and dst
> port 80
>
> *[100185] 1/8/2010 -- 22:11:18 - (app-layer-htp.c:479) <Error>
> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP server response: [1] [htp_response.c] [671] Unable to match response to
> request*
>
> [100185] 1/8/2010 -- 22:11:18 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51100 and dst
> port 80
>
> [100185] 1/8/2010 -- 22:11:26 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing
> "http" app layer protocol, using network protocol 6, source IP address
> 172.25.1.10, destination IP address 24.200.238.163, src port 51104 and dst
> port 80
>
>
> hope this helps!
> Shant K
>
> > To: shant at skylab.ca; oisf-users-bounces at openinfosecfoundation.org;
> william.metcalf at gmail.com
> > CC: oisf-users at openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
> > From: oisf at rogness.net
> > Date: Sun, 1 Aug 2010 20:09:25 +0000
> >
> >
> > Are you bridging between interfaces? Does this happen when you are
> routing versus bridging?
> >
> > Nick
> >
> > Sent from my BlackBerry Smartphone provided by Alltel
> >
> > -----Original Message-----
> > From: Shant Kassardjian <shant at skylab.ca>
> > Sender: oisf-users-bounces at openinfosecfoundation.org
> > Date: Sun, 1 Aug 2010 18:24:32
> > To: <william.metcalf at gmail.com>
> > Cc: <oisf-users at openinfosecfoundation.org>
> > Subject: Re: [Oisf-users] Suricata - test rule ignored/not dropping.
> >
> >_______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100802/73e68cbc/attachment-0002.html>

More information about the Oisf-users mailing list