[Oisf-users] Suricata parsers

Peter Manev petermanev at gmail.com
Mon Nov 7 17:59:44 UTC 2011


Hi,
This could very well be the reason.
Are there any VLANs involved where the interface where Suricata listens to
is not part of those VLANs/VLAN ?

thanks

On Mon, Nov 7, 2011 at 5:23 PM, Peter Bates <peter.bates at ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all...
>
> On 07/11/2011 16:11, Shirkdog wrote:
> > Can you post the errors to the list as well?
>
> I'm getting pretty consistent (IP addresses obfuscated):
>
> [27959] 7/11/2011 -- 16:16:34 - (app-layer-parser.c:969) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "tls" app layer protocol, using network protocol 6, source IP
> address a.b.214.226, destination IP address a.b.111.30, src port 57561
> and dst port 443
> [27959] 7/11/2011 -- 16:16:34 - (app-layer-htp.c:487) <Error>
> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in
> parsing HTTP server response: [1] [htp_response.c] [677] Unable to
> match response to request
> [27959] 7/11/2011 -- 16:16:34 - (app-layer-parser.c:969) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "http" app layer protocol, using network protocol 6, source IP
> address a.b.214.226, destination IP address a.b.111.30, src port 57562
> and dst port 80
> [27959] 7/11/2011 -- 16:18:40 - (app-layer-parser.c:969) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "smtp" app layer protocol, using network protocol 6, source IP
> address c.d.241.35, destination IP address a.b.111.57, src port 50156
> and dst port 25
>
> Having a closer look (which I should have done before posting to the
> list!) - all the destination IPs throwing errors are in the same /24
> which we have for SLB devices - so I think this is the cause of the
> errors.
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOuAX1AAoJELhVoVpEMS6RXywH/iiXZLRLSWNyUjOCAzLRGepb
> SMlZZ9luTcJfqGTqeATabNXkQ+FBfHz5V15BYy/0dcKdABcZmOkRFT+TpblnGBBV
> LqB6TugP+EWQgCqgyLK/XDhMLDOI0O7gEiRmybXrZpv5CQetSNDfUXhx+Sldlxi2
> SGHbJTjizaaYHz/o6mVzVk7XQP1eCJdDvuiHMNyzix+k7qdBUuNB/XNJYmeKRiXk
> ATBltxIDqQOrpPmkKWhnQHRNsSMbsL9v/yAe4BABq1z8v5BM7T6oSoYZUbTsHvaf
> R3ddaO3jknhBz/Lg61Ox8x+C0+Eu4ZSsX5J1nfsM4DoFhf9rlFNpqhVCcROgfpA=
> =faQ3
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111107/203cf66f/attachment-0002.html>


More information about the Oisf-users mailing list