[Oisf-users] Error occured in parsing "http" app layer protocol

Victor Julien victor at inliniac.net
Fri Jul 22 11:36:49 UTC 2011 

On 07/22/2011 09:24 AM, Sander Klein wrote:
> Hi,
> 
> I'm testing Suricata 1.0.4 and 1.1beta2 in my network.
> 
> I've created a mirror port on which I capture traffic entering and 
> leaving my network The mirror port is receiving traffic from 2 different 
> vlan's. But, when I start Suricata I keep getting:
> 
> [27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
> parsing "http" app layer protocol, using network protocol 6, source IP 
> address <clientip>, destination IP address <webserverip>, src port 56341 
> and dst port 80
> [27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
> parsing "http" app layer protocol, using network protocol 6, source IP 
> address <clientip>, destination IP address <webserverip>, src port 49680 
> and dst port 80
> [27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
> parsing "http" app layer protocol, using network protocol 6, source IP 
> address <clientip>, destination IP address <webserverip>, src port 54806 
> and dst port 80
> [27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
> parsing "http" app layer protocol, using network protocol 6, source IP 
> address <clientip>, destination IP address <webserverip>, src port 54272 
> and dst port 80
> [27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
> parsing "http" app layer protocol, using network protocol 6, source IP 
> address <clientip>, destination IP address <webserverip>, src port 41989 
> and dst port 80
> [27707] 22/7/2011 -- 08:21:57 - (app-layer-parser.c:943) <Error> 
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in 
> parsing "http" app layer protocol, using network protocol 6, source IP 
> address <clientip>, destination IP address <webserverip>, src port 36367 
> and dst port 80
> 
> It keeps spitting out these messages and it seems that it's not really 
> inspecting my http streams.
> 
> My environment is a load balanced webserver cluster with Direct Server 
> Return doing about 30Mbit/s of http traffic. But even when testing with 
> 5Mbit/s of traffic I get these messages.
> 
> Any ideas why this could happen? I'm pretty new to this so I'm not sure 
> which info is needed.

Hi Sander, are you able to (privately) share a pcap?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list