[Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
Shant Kassardjian
shant at skylab.ca
Sat Jul 31 18:34:13 UTC 2010
Hello Victor,
Here is the full output, below you will see a sample http.log output.
core# suricata -c suricata.old -d 8000 /usr/local/etc/suricata[100096] 31/7/2010 -- 14:24:13 - (suricata.c:403) <Info> (main) -- This is Suricata version 1.0.1[100096] 31/7/2010 -- 14:24:13 - (util-cpu.c:167) <Info> (UtilCpuPrintSummary) -- CPUs Summary:[100096] 31/7/2010 -- 14:24:13 - (util-cpu.c:169) <Info> (UtilCpuPrintSummary) -- CPUs online: 2[100096] 31/7/2010 -- 14:24:13 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs configured 2Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertFastLog" registered.[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertDebugLog" registered.[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedLog" registered.[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "AlertUnifiedAlert" registered.[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "Unified2Alert" registered.[100096] 31/7/2010 -- 14:24:13 - (output.c:60) <Info> (OutputRegisterModule) -- Output module "LogHttpLog" registered.[100096] 31/7/2010 -- 14:24:13 - (suricata.c:997) <Info> (main) -- preallocated 50 packets. Total memory 4016400[100096] 31/7/2010 -- 14:24:13 - (flow.c:746) <Info> (FlowInitConfig) -- initializing flow engine...[100096] 31/7/2010 -- 14:24:13 - (flow.c:833) <Info> (FlowInitConfig) -- allocated 1048576 bytes of memory for the flow hash... 65536 buckets of size 16[100096] 31/7/2010 -- 14:24:13 - (flow.c:852) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 248[100096] 31/7/2010 -- 14:24:13 - (flow.c:854) <Info> (FlowInitConfig) -- flow memory usage: 3528576 bytes, maximum: 33554432[100096] 31/7/2010 -- 14:24:13 - (detect.c:387) <Info> (SigLoadSignatures) -- 1 rule files processed. 7 rules succesfully loaded, 0 rules failed[100096] 31/7/2010 -- 14:24:13 - (detect-engine-sigorder.c:829) <Info> (SCSigOrderSignatures) -- ordering signatures in memorySCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 8[100096] 31/7/2010 -- 14:24:13 - (detect-engine-sigorder.c:870) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 8[100096] 31/7/2010 -- 14:24:13 - (detect.c:1480) <Info> (SigAddressPrepareStage1) -- 8 signatures processed. 0 are IP-only rules, 5 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only[100096] 31/7/2010 -- 14:24:13 - (detect.c:1483) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done[100096] 31/7/2010 -- 14:24:13 - (detect.c:1968) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address lists...[100096] 31/7/2010 -- 14:24:13 - (detect.c:2037) <Info> (SigAddressPrepareStage2) -- 8 total signatures:[100096] 31/7/2010 -- 14:24:13 - (detect.c:2058) <Info> (SigAddressPrepareStage2) -- TCP Source address blocks: any: 1, ipv4: 9, ipv6: 1.[100096] 31/7/2010 -- 14:24:13 - (detect.c:2078) <Info> (SigAddressPrepareStage2) -- UDP Source address blocks: any: 2, ipv4: 14, ipv6: 2.[100096] 31/7/2010 -- 14:24:13 - (detect.c:2098) <Info> (SigAddressPrepareStage2) -- ICMP Source address blocks: any: 2, ipv4: 2, ipv6: 2.[100096] 31/7/2010 -- 14:24:13 - (detect.c:2102) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... done[100096] 31/7/2010 -- 14:24:13 - (detect.c:2681) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists...[100096] 31/7/2010 -- 14:24:13 - (detect.c:2764) <Info> (SigAddressPrepareStage3) -- MPM memory 290983 (dynamic 290343, ctxs 640, avg per ctx 15281)[100096] 31/7/2010 -- 14:24:13 - (detect.c:2766) <Info> (SigAddressPrepareStage3) -- max sig id 8, array size 2[100096] 31/7/2010 -- 14:24:13 - (detect.c:2767) <Info> (SigAddressPrepareStage3) -- signature group heads: unique 15, copies 94.[100096] 31/7/2010 -- 14:24:13 - (detect.c:2769) <Info> (SigAddressPrepareStage3) -- MPM instances: 19 unique, copies 11 (none 0).[100096] 31/7/2010 -- 14:24:13 - (detect.c:2771) <Info> (SigAddressPrepareStage3) -- MPM (URI) instances: 1 unique, copies 14 (none 0).[100096] 31/7/2010 -- 14:24:13 - (detect.c:2772) <Info> (SigAddressPrepareStage3) -- MPM max patcnt 3, avg 0[100096] 31/7/2010 -- 14:24:13 - (detect.c:2775) <Info> (SigAddressPrepareStage3) -- port maxgroups: 40, avg 21, tot 525[100096] 31/7/2010 -- 14:24:13 - (detect.c:2776) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... done[100096] 31/7/2010 -- 14:24:13 - (util-profiling.c:311) <Info> (SCProfilingInitRuleCounters) -- Registered 8 rule profiling counters.
[100096] 31/7/2010 -- 14:24:13 - (util-threshold-config.c:104) <Error> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "threshold.config": No such file or directory[100096] 31/7/2010 -- 14:24:13 - (alert-fastlog.c:333) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log[100125] 31/7/2010 -- 14:24:13 - (source-ipfw.c:302) <Info> (ReceiveIPFWThreadInit) -- Using IPFW divert port 8000[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:365) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:387) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:394) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:411) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864[100096] 31/7/2010 -- 14:24:13 - (stream-tcp.c:420) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576[100096] 31/7/2010 -- 14:24:14 - (tm-threads.c:1429) <Info> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 3 management threads initialized, engine started.[100154] 31/7/2010 -- 14:25:29 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100154] 31/7/2010 -- 14:25:29 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49645 and dst port 80[100154] 31/7/2010 -- 14:25:29 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100154] 31/7/2010 -- 14:25:29 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49646 and dst port 80[100154] 31/7/2010 -- 14:25:30 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100154] 31/7/2010 -- 14:25:30 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49647 and dst port 80[100154] 31/7/2010 -- 14:25:30 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100154] 31/7/2010 -- 14:25:30 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49648 and dst port 80[100154] 31/7/2010 -- 14:25:32 - (app-layer-htp.c:391) <Error> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP client request: [1] [htp_request_generic.c] [150] Request field invalid: colon missing[100154] 31/7/2010 -- 14:25:32 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49644 and dst port 80[100154] 31/7/2010 -- 14:25:34 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request[100154] 31/7/2010 -- 14:25:34 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49643 and dst port 80[100154] 31/7/2010 -- 14:25:36 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request[100154] 31/7/2010 -- 14:25:36 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49649 and dst port 80[100154] 31/7/2010 -- 14:25:36 - (app-layer-htp.c:479) <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing HTTP server response: [1] [htp_response.c] [671] Unable to match response to request[100154] 31/7/2010 -- 14:25:36 - (app-layer-parser.c:931) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 172.25.1.10, destination IP address 24.200.239.18, src port 49642 and dst port 80
[In http.log I get multiple entries for]
07/31/10-18:25:40.097329 www.blogsmithmedia.com [**] /www.engadget.com/media/col 2_kirf_label_real.gif [**] Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Vers ion/10.60 [**] 172.25.1.10:80 -> 24.200.239.40:49634
> Date: Sat, 31 Jul 2010 09:27:50 +0200
> From: victor at inliniac.net
> To: shant at skylab.ca
> CC: oisf-users at openinfosecfoundation.org; oisf-users-bounces at openinfosecfoundation.org
> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
>
> Shant Kassardjian wrote:
> > Anyways, I know have another problem the spite suricata is functioning
> > properly, I get the following error on each web site I browse:
> >
> >
> > [100154] 30/7/2010 -- 19:36:28 - (app-layer-parser.c:931) <Error>
> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> > parsing "http" app layer protocol, using network protocol 6, source IP
> > address 172.25.1.10, destination IP address 24.200.239.18, src port
> > 49343 and dst port 80
> >
> >
> > [100154] 30/7/2010 -- 19:44:03 - (app-layer-parser.c:931) <Error>
> > (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> > parsing "http" app layer protocol, using network protocol 6, source IP
> > address 172.25.1.10, destination IP address 64.191.203.30, src port
> > 49580 and dst port 80
>
> Usually in the line above it, it will print the error reason. It's not
> uncommon to see some of these.
>
> Are you seeing the http requests appear in your
> /var/log/suricata/http.log? If so it means they are at least partly
> understood by Suricata.
>
> Cheers,
> Victor
>
>
> >
> >
> > Is this a configuration problem? There might be a small performance hit
> > because of this problem.
> >
> >
> > Many thanks for the help.
> >
> >
> >
> >
> >
> >> To: rmkml at free.fr; oisf-users-bounces at openinfosecfoundation.org;
> > shant at skylab.ca
> >> From: oisf at rogness.net
> >> Date: Fri, 30 Jul 2010 17:46:40 +0000
> >> CC: oisf-users at openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main)
> > --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
> >>
> >> You must specify which packets to send to suricata via an ipfw rule.
> > For example:
> >>
> >> ipfw divert 8000 ip from any to any via em0
> >>
> >> This example ipfw rule instructs the kernel to send packets, of type
> > IP, with any source/destination address, which either come in or out
> > interface em0, to a divert socket 8000.
> >>
> >> Suricata, configured with -d 8000, picks the packets off by listening
> > to this divert socket 8000.
> >>
> >> The 8000 specified in the suricata argument to -d MUST match the same
> > value which is added in the 'ipfw divert 8000 ...' command, or suricata
> > will not see packets from IPFW.
> >>
> >> The -i em0 flag is not need for suricata running with IPFW divert
> > sockets. It would only be need if you were running in IDS mode via pcap
> > or equivalent.
> >>
> >> Hope this helps.
> >>
> >> Nick
> >>
> >> Sent from my BlackBerry Smartphone provided by Alltel
> >>
> >> -----Original Message-----
> >> From: rmkml <rmkml at free.fr>
> >> Sender: oisf-users-bounces at openinfosecfoundation.org
> >> Date: Fri, 30 Jul 2010 18:50:04
> >> To: Shant Kassardjian<shant at skylab.ca>
> >> Cc: <oisf-users at openinfosecfoundation.org>
> >> Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --
> >> [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
> >>
> >> Hi Shant,
> >> maybe can help you ?:
> >> http://www.codealias.info/technotes/freebsd_divert_sockets
> >> ..."A divert socket is a socket that can be used to alter packets
> > before being processed by the networking stack."...
> >> Regards
> >> Rmkml
> >>
> >>
> >> On Fri, 30 Jul 2010, Shant Kassardjian wrote:
> >>
> >> > Hello Eric,
> >> >
> >> > Thank you for your reply, I am a bit confused as to which interface
> > suricata monitors traffic on? I have the bridge0 interface configured
> > for (em1, em2, ... em5)
> >> > 5 sub interfaces and em0 which is my uplink interface.
> >> >
> >> > I though with -i em0 -d 8000 it would listen for traffic passing
> > only through em0 and divert them to ipfw.
> >> >
> >> > Can you please explain if I don't specify an interface with -i em0
> > which interface will suricata pick to monitor traffic? Will suricata
> > pass all the traffic from
> >> > the kernel to the ipfw divert socket with the -d option?
> >> >
> >> > Many thanks.
> >> >
> >> > Regards,
> >> > Shant K
> >> >
> >> >
> >> > > Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error>
> > (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
> >> > > From: eleblond at edenwall.com
> >> > > To: shant at skylab.ca
> >> > > CC: oisf-users at openinfosecfoundation.org
> >> > > Date: Fri, 30 Jul 2010 09:17:12 +0200
> >> > >
> >> > > Hi,
> >> > >
> >> > > Le vendredi 30 juillet 2010 à 02:56 +0000, Shant Kassardjian a écrit :
> >> > > > Hello,
> >> > > >
> >> > > >
> >> > > > I can't seem to start suricata on FreeBSD 8.0
> >> > > >
> >> > > >
> >> > > > I have compiled with ./configure --enable-profiling --enable-ipfw
> >> > > ...
> >> > > >
> >> > > > # suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000
> >> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) --
> >> > > > This is Suricata version 1.0.1
> >> > > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) --
> >> > > > [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run
> > mode has
> >> > > > been specified
> >> > > > ...
> >> > > >
> >> > > >
> >> > > >
> >> > > > Any idea what went wrong? error message doesn't say much..
> >> > >
> >> > > It tell correctly the error ;)
> >> > >
> >> > > You've runned with options :
> >> > > - -i em0 which enable pcap on em0
> >> > > - -d 8000 you divert packet from rule 8000
> >> > > Thus you've got multiple run mode instead on one. You need to choose
> >> > > one.
> >> > >
> >> > > BR,
> >> > > --
> >> > > Éric Leblond, eleblond at edenwall.com
> >> > > Téléphone : +33 1 40 24 65 04, Fax : +33 9 57 21 48 75
> >> > > EdenWall, http://www.edenwall.com
> >> >
> >> >
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100731/fba56b71/attachment-0002.html>
More information about the Oisf-users
mailing list