[Oisf-users] Oisf-users Digest, Vol 24, Issue 12

Peter Manev petermanev at gmail.com
Sat Nov 12 07:38:48 UTC 2011 

On Fri, Nov 11, 2011 at 11:59 PM, Wenji Wu <wuwenji18 at gmail.com> wrote:

> I download the pcap data set from:
> http://www.itoc.usma.edu/research/dataset/, install the emerging rules,
> and run suricata,
>
> I got the following errors:
>
> [9511] 11/11/2011 -- 16:54:42 - (app-layer-htp.c:391) <Error>
> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP client request: [1] [htp_request_generic.c] [154] Request field
> invalid: colon missing
> [9511] 11/11/2011 -- 16:54:42 - (app-layer-parser.c:969) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "http" app layer protocol, using network protocol 6, source IP
> address 10.2.190.254, destination IP address 10.1.60.187, src port 44737
> and dst port 80
> [9511] 11/11/2011 -- 16:54:42 - (app-layer-htp.c:391) <Error>
> (HTPHandleRequestData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in parsing
> HTTP client request: [1] [htp_request_generic.c] [154] Request field
> invalid: colon missing
> [9511] 11/11/2011 -- 16:54:42 - (app-layer-parser.c:969) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "http" app layer protocol, using network protocol 6, source IP
> address 10.2.190.254, destination IP address 10.1.60.187, src port 47764
> and dst port 80
>
>
> wenji
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
Hi Wenji,

The "parsing "http" app layer protocol" - err we have seen before, there is
a number of reasons for this to occur, it could be "tagged"/VLAN traffic
that the interface that Suricata listens to is  not part of , it could be
that it can not find the appropriate responses from given ips and others...
I think this is more of an "informational" warning than an err.

The "Request field invalid: colon missing" err - i see for the first time.

It would be useful if you can share a small pcap (not the 12 Gig from the
exercise :) ) that by running it we could reproduce the err.

Lets not forget that this is traffic full of "sadness" on purpose...

Thanks



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111112/96881d50/attachment-0002.html>

More information about the Oisf-users mailing list