[Oisf-users] atest git version, DetectAppLayerEventParseAppP2: Assertion `!(1)' failed

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Wed Jan 15 11:12:44 UTC 2014 

Hi Anoop,
sorry for the delay but here is the debug output.

22950] 15/1/2014 -- 11:05:28 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/emerging-icmp.rules
[22950] 15/1/2014 -- 11:05:29 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/emerging-virus.rules
[22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 2
[22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 4
[22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 5
[22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 7
[22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 9
[22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 11
[22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
[22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 13
[22950] 15/1/2014 -- 11:05:32 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/dns-events.rules
[22950] 15/1/2014 -- 11:05:32 - (detect.c:453) <Info> (SigLoadSignatures) -- 50 rule files processed. 14414 rules successfully loaded, 7 rules failed
[22950] 15/1/2014 -- 11:05:32 - (detect.c:2569) <Info> (SigAddressPrepareStage1) -- 14422 signatures processed. 1283 are IP-only rules, 3888 are inspecting packet payload, 10693 inspect application layer, 76 are decoder event only
[22950] 15/1/2014 -- 11:05:32 - (detect.c:2572) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
[22950] 15/1/2014 -- 11:05:32 - (detect.c:3195) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[22950] 15/1/2014 -- 11:05:38 - (detect.c:3837) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete




Am 13.01.2014 um 15:46 schrieb Anoop Saldanha <anoopsaldanha at gmail.com>:

> Hi Stefan,
> 
> I have submitted a PR https://github.com/inliniac/suricata/pull/763
> that should help you zero in on the offending rule(by printing the
> rule to the console, rather than put out a core dump).
> 
> You can either apply the patch or wait for it to pushed.
> 
> On Mon, Jan 13, 2014 at 6:58 PM, Stefan Sabolowitsch
> <Stefan.Sabolowitsch at felten-group.com> wrote:
>> Hi Anoop,
>> any news here (with my rules) ?
>> 
>> Best regards
>> Stefan
>> 
>> Am 11.01.2014 um 03:15 schrieb Anoop Saldanha <anoopsaldanha at gmail.com>:
>> 
>>> On Fri, Jan 10, 2014 at 10:02 PM, Stefan Sabolowitsch
>>> <Stefan.Sabolowitsch at felten-group.com> wrote:
>>>> Hi all,
>>>> have here multiple suri instances running, but after latest git only „one“ instance will running all other failed with this message
>>>> 
>>>> suricata: detect-app-layer-event.c:152: DetectAppLayerEventParseAppP2: Assertion `!(1)' failed.
>>>> 
>>> 
>>> Could you post the rule in question(privately if you want to).
>>> 
>>> --
>>> -------------------------------
>>> Anoop Saldanha
>>> http://www.poona.me
>>> -------------------------------
>>> 
>> 
>> 
> 
> 
> 
> -- 
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
>

More information about the Oisf-users mailing list