[Oisf-users] Lot of alerts using git version
C. L. Martinez
carlopmart at gmail.com
Tue May 21 09:53:24 UTC 2013
Hi all,
This morning I have installed suricata from git under an OpenBSD 5.3
host. After installing, I have started this suricata instance and a
lot of alerts like this are triggered:
05/21/2013-09:48:42.391365 [**] [1:2221000:1] SURICATA HTTP unknown
error [**] [Classification: Generic Protocol Command Decode]
[Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52038
05/21/2013-09:48:42.707321 [**] [1:2221021:1] SURICATA HTTP response
header invalid [**] [Classification: Generic Protocol Command Decode]
[Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
05/21/2013-09:48:42.707321 [**] [1:2221020:1] SURICATA HTTP response
field missing colon [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
05/21/2013-09:48:42.707321 [**] [1:2221019:1] SURICATA HTTP response
field too long [**] [Classification: Generic Protocol Command Decode]
[Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
05/21/2013-09:48:42.707321 [**] [1:2221017:1] SURICATA HTTP invalid
response field folding [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
10.196.0.15 is a proxy host and I want to monitor traffic that comes
and go from/to Internet to this host only. To accomplish this I have
configured the following bpf filter:
(ip and (src host 10.196.0.15 and not (dst net 10.0.0.0/8 or dst net
172.16.0.0/12 or dst net 192.168.0.0/16))) or
(ip and (dst host 10.196.0.15 and not (src net 10.0.0.0/8 or src net
172.16.0.0/12 or src net 192.168.0.0/16))) or
(vlan and (src host 10.196.0.15 and not (dst net 10.0.0.0/8 or dst net
172.16.0.0/12 or dst net 192.168.0.0/16))) or
(vlan and (dst host 10.196.0.15 and not (src net 10.0.0.0/8 or src net
172.16.0.0/12 or src net 192.168.0.0/16)))
What am I doing wrong??
More information about the Oisf-users
mailing list