[Oisf-users] Lot of alerts using git version

C. L. Martinez carlopmart at gmail.com
Tue May 21 11:17:48 UTC 2013 

On Tue, May 21, 2013 at 10:19 AM, Victor Julien <lists at inliniac.net> wrote:
> On 05/21/2013 11:53 AM, C. L. Martinez wrote:
>> Hi all,
>>
>>  This morning I have installed suricata from git under an OpenBSD 5.3
>> host. After installing, I have started this suricata instance and a
>> lot of alerts like this are triggered:
>>
>> 05/21/2013-09:48:42.391365  [**] [1:2221000:1] SURICATA HTTP unknown
>> error [**] [Classification: Generic Protocol Command Decode]
>> [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52038
>> 05/21/2013-09:48:42.707321  [**] [1:2221021:1] SURICATA HTTP response
>> header invalid [**] [Classification: Generic Protocol Command Decode]
>> [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
>> 05/21/2013-09:48:42.707321  [**] [1:2221020:1] SURICATA HTTP response
>> field missing colon [**] [Classification: Generic Protocol Command
>> Decode] [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
>> 05/21/2013-09:48:42.707321  [**] [1:2221019:1] SURICATA HTTP response
>> field too long [**] [Classification: Generic Protocol Command Decode]
>> [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
>> 05/21/2013-09:48:42.707321  [**] [1:2221017:1] SURICATA HTTP invalid
>> response field folding [**] [Classification: Generic Protocol Command
>> Decode] [Priority: 3] {TCP} 195.162.19.54:80 -> 10.196.0.15:52042
>>
>> 10.196.0.15 is a proxy host and I want to monitor traffic that comes
>> and go from/to Internet to this host only. To accomplish this I have
>> configured the following bpf filter:
>>
>> (ip and (src host 10.196.0.15 and not (dst net 10.0.0.0/8 or dst net
>> 172.16.0.0/12 or dst net 192.168.0.0/16))) or
>> (ip and (dst host 10.196.0.15 and not (src net 10.0.0.0/8 or src net
>> 172.16.0.0/12 or src net 192.168.0.0/16))) or
>> (vlan and (src host 10.196.0.15 and not (dst net 10.0.0.0/8 or dst net
>> 172.16.0.0/12 or dst net 192.168.0.0/16))) or
>> (vlan and (dst host 10.196.0.15 and not (src net 10.0.0.0/8 or src net
>> 172.16.0.0/12 or src net 192.168.0.0/16)))
>>
>>  What am I doing wrong??
>
> Not much, we just pushed an update to address this. If you're running
> git master, you can expect some glitches every now and then.
>
> --

Thanks Victor, I have reverted to release 1.4.1 and these alerts does
not appears ...

More information about the Oisf-users mailing list