[Oisf-users] Lot of alerts using git version

Victor Julien lists at inliniac.net
Tue May 21 10:19:53 UTC 2013 

On 05/21/2013 11:53 AM, C. L. Martinez wrote:
> Hi all,
> 
>  This morning I have installed suricata from git under an OpenBSD 5.3
> host. After installing, I have started this suricata instance and a
> lot of alerts like this are triggered:
> 
> 05/21/2013-09:48:42.391365  [**] [1:2221000:1] SURICATA HTTP unknown
> error [**] [Classification: Generic Protocol Command Decode]
> [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52038
> 05/21/2013-09:48:42.707321  [**] [1:2221021:1] SURICATA HTTP response
> header invalid [**] [Classification: Generic Protocol Command Decode]
> [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
> 05/21/2013-09:48:42.707321  [**] [1:2221020:1] SURICATA HTTP response
> field missing colon [**] [Classification: Generic Protocol Command
> Decode] [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
> 05/21/2013-09:48:42.707321  [**] [1:2221019:1] SURICATA HTTP response
> field too long [**] [Classification: Generic Protocol Command Decode]
> [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
> 05/21/2013-09:48:42.707321  [**] [1:2221017:1] SURICATA HTTP invalid
> response field folding [**] [Classification: Generic Protocol Command
> Decode] [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
> 
> 10.196.0.15 is a proxy host and I want to monitor traffic that comes
> and go from/to Internet to this host only. To accomplish this I have
> configured the following bpf filter:
> 
> (ip and (src host 10.196.0.15 and not (dst net 10.0.0.0/8 or dst net
> 172.16.0.0/12 or dst net 192.168.0.0/16))) or
> (ip and (dst host 10.196.0.15 and not (src net 10.0.0.0/8 or src net
> 172.16.0.0/12 or src net 192.168.0.0/16))) or
> (vlan and (src host 10.196.0.15 and not (dst net 10.0.0.0/8 or dst net
> 172.16.0.0/12 or dst net 192.168.0.0/16))) or
> (vlan and (dst host 10.196.0.15 and not (src net 10.0.0.0/8 or src net
> 172.16.0.0/12 or src net 192.168.0.0/16)))
> 
>  What am I doing wrong??

Not much, we just pushed an update to address this. If you're running
git master, you can expect some glitches every now and then.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list