[Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]

Shant Kassardjian shant at skylab.ca
Fri Jul 30 23:59:29 UTC 2010 

Thanks guys for the detailed explanation! I managed to get suricata working in IPS mode on HIGH memory settings with my core 2 duo it feels 2x faster than snort! (only 10 rules loaded though)


Anyways, I know have another problem the spite suricata is functioning properly, I get the following error on each web site I browse:


[100154] 30/7/2010 -- 19:36:28 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49343 and dst port 80


[100154] 30/7/2010 -- 19:44:03 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 64.191.203.30, src port 49580 and dst port 80


Is this a configuration problem? There might be a small performance hit because of this problem.


Many thanks for the help.





> To: rmkml at free.fr; oisf-users-bounces at openinfosecfoundation.org; shant at skylab.ca
> From: oisf at rogness.net
> Date: Fri, 30 Jul 2010 17:46:40 +0000
> CC: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main)	--[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
> 
> You must specify which packets to send to suricata via an ipfw rule.  For example:
> 
>  ipfw divert 8000 ip from any to any via em0
> 
> This example ipfw rule instructs the kernel to send packets, of type IP, with any source/destination address, which either come in or out interface em0, to a divert socket 8000.
> 
> Suricata, configured with -d 8000, picks the packets off by listening to this divert socket 8000.
> 
> The 8000 specified in the suricata argument to -d MUST match the same value which is added in the 'ipfw divert 8000 ...' command, or suricata will not see packets from IPFW.
> 
> The -i em0 flag is not need for suricata running with IPFW divert sockets.  It would only be need if you were running in IDS mode via pcap or equivalent.
> 
> Hope this helps.
> 
> Nick
> 
> Sent from my BlackBerry Smartphone provided by Alltel
> 
> -----Original Message-----
> From: rmkml <rmkml at free.fr>
> Sender: oisf-users-bounces at openinfosecfoundation.org
> Date: Fri, 30 Jul 2010 18:50:04 
> To: Shant Kassardjian<shant at skylab.ca>
> Cc: <oisf-users at openinfosecfoundation.org>
> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --
>  [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
> 
> Hi Shant,
> maybe can help you ?:
> http://www.codealias.info/technotes/freebsd_divert_sockets
>   ..."A divert socket is a socket that can be used to alter packets before being processed by the networking stack."...
> Regards
> Rmkml
> 
> 
> On Fri, 30 Jul 2010, Shant Kassardjian wrote:
> 
> > Hello Eric,
> > 
> > Thank you for your reply, I am a bit confused as to which interface suricata monitors traffic on? I have the bridge0 interface configured for (em1, em2, ... em5)
> > 5 sub interfaces and em0 which is my uplink interface.
> > 
> > I though with -i em0 -d 8000 it would listen for traffic passing only through em0 and divert them to ipfw.
> > 
> > Can you please explain if I don't specify an interface with -i em0 which interface will suricata pick to monitor traffic? Will suricata pass all the traffic from
> > the kernel to the ipfw divert socket with the -d option?
> > 
> > Many thanks.
> > 
> > Regards,
> > Shant K
> > 
> > 
> > > Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
> > > From: eleblond at edenwall.com
> > > To: shant at skylab.ca
> > > CC: oisf-users at openinfosecfoundation.org
> > > Date: Fri, 30 Jul 2010 09:17:12 +0200
> > >
> > > Hi,
> > >
> > > Le vendredi 30 juillet 2010 à 02:56 +0000, Shant Kassardjian a écrit :
> > > > Hello,
> > > >
> > > >
> > > > I can't seem to start suricata on FreeBSD 8.0
> > > >
> > > >
> > > > I have compiled with ./configure --enable-profiling --enable-ipfw
> > > ...
> > > >
> > > > # suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000
> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) --
> > > > This is Suricata version 1.0.1
> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) --
> > > > [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has
> > > > been specified
> > > > ...
> > > >
> > > >
> > > >
> > > > Any idea what went wrong? error message doesn't say much..
> > >
> > > It tell correctly the error ;)
> > >
> > > You've runned with options :
> > > - -i em0 which enable pcap on em0
> > > - -d 8000 you divert packet from rule 8000
> > > Thus you've got multiple run mode instead on one. You need to choose
> > > one.
> > >
> > > BR,
> > > --
> > > Éric Leblond, eleblond at edenwall.com
> > > Téléphone : +33 1 40 24 65 04, Fax : +33 9 57 21 48 75
> > > EdenWall, http://www.edenwall.com
> > 
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100730/ab28d316/attachment-0002.html>

More information about the Oisf-users mailing list