[Oisf-users] HTTP parsing events in Suricata
Victor Julien
victor at inliniac.net
Thu Jan 12 03:34:21 EST 2012
On 01/12/2012 09:29 AM, Peter Manev wrote:
> sorry.
>
> And if the stream-events.rules is not enabled?
Then the rule obviously won't fire and things are quiet. However in the
stats.log the entry for tcp.reassembly_gap will be incremented.
Cheers,
Victor
>
> thanks
>
> On Thu, Jan 12, 2012 at 9:20 AM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
> On 01/12/2012 08:51 AM, Peter Manev wrote:
> > I guess if you have lots of packet losses there will be lots of http
> > parse errs (and not only).... or you can try increasing the anomaly
> > counters for example for http, if that is of concearn.
>
> Actually, this is not how it works.
>
> If unrecoverable packet loss is encountered (data segments lost) a
> stream event is set:
>
> stream-event:reassembly_seq_gap;
>
> The stream-events.rules file contains this rule:
>
> alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence
> GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; sid:2210048;
> rev:1;)
>
> At this point the http parser lost track and gives up, and so will not
> emit errors.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
>
> --
> Peter Manev
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list