[Oisf-users] HTTP parsing events in Suricata

Victor Julien victor at inliniac.net
Thu Jan 12 03:34:21 EST 2012


On 01/12/2012 09:29 AM, Peter Manev wrote:
> sorry.
> 
> And if the stream-events.rules is not enabled?

Then the rule obviously won't fire and things are quiet. However in the
stats.log the entry for tcp.reassembly_gap will be incremented.

Cheers,
Victor

> 
> thanks
> 
> On Thu, Jan 12, 2012 at 9:20 AM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
> 
>     On 01/12/2012 08:51 AM, Peter Manev wrote:
>     > I guess if you have lots of packet losses there will be lots of http
>     > parse errs (and not only).... or you can try increasing the anomaly
>     > counters for example for http, if that is of concearn.
> 
>     Actually, this is not how it works.
> 
>     If unrecoverable packet loss is encountered (data segments lost) a
>     stream event is set:
> 
>     stream-event:reassembly_seq_gap;
> 
>     The stream-events.rules file contains this rule:
> 
>     alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence
>     GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; sid:2210048;
>     rev:1;)
> 
>     At this point the http parser lost track and gives up, and so will not
>     emit errors.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 
> 
> 
> -- 
> Peter Manev


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Oisf-users mailing list