[Oisf-users] HTTP parsing events in Suricata

Peter Manev petermanev at gmail.com
Thu Jan 12 03:29:28 EST 2012


sorry.

And if the stream-events.rules is not enabled?

thanks

On Thu, Jan 12, 2012 at 9:20 AM, Victor Julien <victor at inliniac.net> wrote:

> On 01/12/2012 08:51 AM, Peter Manev wrote:
> > I guess if you have lots of packet losses there will be lots of http
> > parse errs (and not only).... or you can try increasing the anomaly
> > counters for example for http, if that is of concearn.
>
> Actually, this is not how it works.
>
> If unrecoverable packet loss is encountered (data segments lost) a
> stream event is set:
>
> stream-event:reassembly_seq_gap;
>
> The stream-events.rules file contains this rule:
>
> alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence
> GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; sid:2210048;
> rev:1;)
>
> At this point the http parser lost track and gives up, and so will not
> emit errors.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>


-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120112/6d800dc5/attachment.html


More information about the Oisf-users mailing list