[Oisf-users] Error occured in parsing "http" app layer protocol

Sander Klein roedie at roedie.nl
Fri Jul 22 07:24:22 UTC 2011 

Hi,

I'm testing Suricata 1.0.4 and 1.1beta2 in my network.

I've created a mirror port on which I capture traffic entering and 
leaving my network The mirror port is receiving traffic from 2 different 
vlan's. But, when I start Suricata I keep getting:

[27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
parsing "http" app layer protocol, using network protocol 6, source IP 
address <clientip>, destination IP address <webserverip>, src port 56341 
and dst port 80
[27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
parsing "http" app layer protocol, using network protocol 6, source IP 
address <clientip>, destination IP address <webserverip>, src port 49680 
and dst port 80
[27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
parsing "http" app layer protocol, using network protocol 6, source IP 
address <clientip>, destination IP address <webserverip>, src port 54806 
and dst port 80
[27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
parsing "http" app layer protocol, using network protocol 6, source IP 
address <clientip>, destination IP address <webserverip>, src port 54272 
and dst port 80
[27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
parsing "http" app layer protocol, using network protocol 6, source IP 
address <clientip>, destination IP address <webserverip>, src port 41989 
and dst port 80
[27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
parsing "http" app layer protocol, using network protocol 6, source IP 
address <clientip>, destination IP address <webserverip>, src port 36367 
and dst port 80

It keeps spitting out these messages and it seems that it's not really 
inspecting my http streams.

My environment is a load balanced webserver cluster with Direct Server 
Return doing about 30Mbit/s of http traffic. But even when testing with 
5Mbit/s of traffic I get these messages.

Any ideas why this could happen? I'm pretty new to this so I'm not sure 
which info is needed.

Regards,

Sander

More information about the Oisf-users mailing list