[Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
Victor Julien
victor at inliniac.net
Sat Jul 31 07:27:50 UTC 2010
Shant Kassardjian wrote:
> Anyways, I know have another problem the spite suricata is functioning
> properly, I get the following error on each web site I browse:
>
>
> [100154] 30/7/2010 -- 19:36:28 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "http" app layer protocol, using network protocol 6, source IP
> address 172.25.1.10, destination IP address 24.200.239.18, src port
> 49343 and dst port 80
>
>
> [100154] 30/7/2010 -- 19:44:03 - (app-layer-parser.c:931) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "http" app layer protocol, using network protocol 6, source IP
> address 172.25.1.10, destination IP address 64.191.203.30, src port
> 49580 and dst port 80
Usually in the line above it, it will print the error reason. It's not
uncommon to see some of these.
Are you seeing the http requests appear in your
/var/log/suricata/http.log? If so it means they are at least partly
understood by Suricata.
Cheers,
Victor
>
>
> Is this a configuration problem? There might be a small performance hit
> because of this problem.
>
>
> Many thanks for the help.
>
>
>
>
>
>> To: rmkml at free.fr; oisf-users-bounces at openinfosecfoundation.org;
> shant at skylab.ca
>> From: oisf at rogness.net
>> Date: Fri, 30 Jul 2010 17:46:40 +0000
>> CC: oisf-users at openinfosecfoundation.org
>> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main)
> --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
>>
>> You must specify which packets to send to suricata via an ipfw rule.
> For example:
>>
>> ipfw divert 8000 ip from any to any via em0
>>
>> This example ipfw rule instructs the kernel to send packets, of type
> IP, with any source/destination address, which either come in or out
> interface em0, to a divert socket 8000.
>>
>> Suricata, configured with -d 8000, picks the packets off by listening
> to this divert socket 8000.
>>
>> The 8000 specified in the suricata argument to -d MUST match the same
> value which is added in the 'ipfw divert 8000 ...' command, or suricata
> will not see packets from IPFW.
>>
>> The -i em0 flag is not need for suricata running with IPFW divert
> sockets. It would only be need if you were running in IDS mode via pcap
> or equivalent.
>>
>> Hope this helps.
>>
>> Nick
>>
>> Sent from my BlackBerry Smartphone provided by Alltel
>>
>> -----Original Message-----
>> From: rmkml <rmkml at free.fr>
>> Sender: oisf-users-bounces at openinfosecfoundation.org
>> Date: Fri, 30 Jul 2010 18:50:04
>> To: Shant Kassardjian<shant at skylab.ca>
>> Cc: <oisf-users at openinfosecfoundation.org>
>> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --
>> [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
>>
>> Hi Shant,
>> maybe can help you ?:
>> http://www.codealias.info/technotes/freebsd_divert_sockets
>> ..."A divert socket is a socket that can be used to alter packets
> before being processed by the networking stack."...
>> Regards
>> Rmkml
>>
>>
>> On Fri, 30 Jul 2010, Shant Kassardjian wrote:
>>
>> > Hello Eric,
>> >
>> > Thank you for your reply, I am a bit confused as to which interface
> suricata monitors traffic on? I have the bridge0 interface configured
> for (em1, em2, ... em5)
>> > 5 sub interfaces and em0 which is my uplink interface.
>> >
>> > I though with -i em0 -d 8000 it would listen for traffic passing
> only through em0 and divert them to ipfw.
>> >
>> > Can you please explain if I don't specify an interface with -i em0
> which interface will suricata pick to monitor traffic? Will suricata
> pass all the traffic from
>> > the kernel to the ipfw divert socket with the -d option?
>> >
>> > Many thanks.
>> >
>> > Regards,
>> > Shant K
>> >
>> >
>> > > Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error>
> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
>> > > From: eleblond at edenwall.com
>> > > To: shant at skylab.ca
>> > > CC: oisf-users at openinfosecfoundation.org
>> > > Date: Fri, 30 Jul 2010 09:17:12 +0200
>> > >
>> > > Hi,
>> > >
>> > > Le vendredi 30 juillet 2010 à 02:56 +0000, Shant Kassardjian a écrit :
>> > > > Hello,
>> > > >
>> > > >
>> > > > I can't seem to start suricata on FreeBSD 8.0
>> > > >
>> > > >
>> > > > I have compiled with ./configure --enable-profiling --enable-ipfw
>> > > ...
>> > > >
>> > > > # suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000
>> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) --
>> > > > This is Suricata version 1.0.1
>> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) --
>> > > > [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run
> mode has
>> > > > been specified
>> > > > ...
>> > > >
>> > > >
>> > > >
>> > > > Any idea what went wrong? error message doesn't say much..
>> > >
>> > > It tell correctly the error ;)
>> > >
>> > > You've runned with options :
>> > > - -i em0 which enable pcap on em0
>> > > - -d 8000 you divert packet from rule 8000
>> > > Thus you've got multiple run mode instead on one. You need to choose
>> > > one.
>> > >
>> > > BR,
>> > > --
>> > > Éric Leblond, eleblond at edenwall.com
>> > > Téléphone : +33 1 40 24 65 04, Fax : +33 9 57 21 48 75
>> > > EdenWall, http://www.edenwall.com
>> >
>> >
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list