[Oisf-users] atest git version, DetectAppLayerEventParseAppP2: Assertion `!(1)' failed

Anoop Saldanha anoopsaldanha at gmail.com
Fri Jan 17 11:53:06 UTC 2014 

Stefan,

Are you using the updated config.  The latest app layer change has
modified the config -

http://www.poona.me/2014/01/suricata-app-layer-changes-new-keyword.html

On Wed, Jan 15, 2014 at 4:42 PM, Stefan Sabolowitsch
<Stefan.Sabolowitsch at felten-group.com> wrote:
> Hi Anoop,
> sorry for the delay but here is the debug output.
>
> 22950] 15/1/2014 -- 11:05:28 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/emerging-icmp.rules
> [22950] 15/1/2014 -- 11:05:29 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/emerging-virus.rules
> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 2
> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 4
> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 5
> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 7
> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 9
> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 11
> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 13
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/dns-events.rules
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:453) <Info> (SigLoadSignatures) -- 50 rule files processed. 14414 rules successfully loaded, 7 rules failed
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:2569) <Info> (SigAddressPrepareStage1) -- 14422 signatures processed. 1283 are IP-only rules, 3888 are inspecting packet payload, 10693 inspect application layer, 76 are decoder event only
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:2572) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
> [22950] 15/1/2014 -- 11:05:32 - (detect.c:3195) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
> [22950] 15/1/2014 -- 11:05:38 - (detect.c:3837) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
>
>
>
>
> Am 13.01.2014 um 15:46 schrieb Anoop Saldanha <anoopsaldanha at gmail.com>:
>
>> Hi Stefan,
>>
>> I have submitted a PR https://github.com/inliniac/suricata/pull/763
>> that should help you zero in on the offending rule(by printing the
>> rule to the console, rather than put out a core dump).
>>
>> You can either apply the patch or wait for it to pushed.
>>
>> On Mon, Jan 13, 2014 at 6:58 PM, Stefan Sabolowitsch
>> <Stefan.Sabolowitsch at felten-group.com> wrote:
>>> Hi Anoop,
>>> any news here (with my rules) ?
>>>
>>> Best regards
>>> Stefan
>>>
>>> Am 11.01.2014 um 03:15 schrieb Anoop Saldanha <anoopsaldanha at gmail.com>:
>>>
>>>> On Fri, Jan 10, 2014 at 10:02 PM, Stefan Sabolowitsch
>>>> <Stefan.Sabolowitsch at felten-group.com> wrote:
>>>>> Hi all,
>>>>> have here multiple suri instances running, but after latest git only „one“ instance will running all other failed with this message
>>>>>
>>>>> suricata: detect-app-layer-event.c:152: DetectAppLayerEventParseAppP2: Assertion `!(1)' failed.
>>>>>
>>>>
>>>> Could you post the rule in question(privately if you want to).
>>>>
>>>> --
>>>> -------------------------------
>>>> Anoop Saldanha
>>>> http://www.poona.me
>>>> -------------------------------
>>>>
>>>
>>>
>>
>>
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>>
>
>



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-users mailing list