[Oisf-users] HTTP parsing events in Suricata
Victor Julien
victor at inliniac.net
Thu Jan 12 03:20:36 EST 2012
On 01/12/2012 08:51 AM, Peter Manev wrote:
> I guess if you have lots of packet losses there will be lots of http
> parse errs (and not only).... or you can try increasing the anomaly
> counters for example for http, if that is of concearn.
Actually, this is not how it works.
If unrecoverable packet loss is encountered (data segments lost) a
stream event is set:
stream-event:reassembly_seq_gap;
The stream-events.rules file contains this rule:
alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence
GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; sid:2210048;
rev:1;)
At this point the http parser lost track and gives up, and so will not
emit errors.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list