[Oisf-users] atest git version, DetectAppLayerEventParseAppP2: Assertion `!(1)' failed

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Fri Jan 17 12:33:18 UTC 2014 

Anoop,
That was the trick. Thanks for your help

Stefan


Am 17.01.2014 um 12:53 schrieb Anoop Saldanha <anoopsaldanha at gmail.com>:

> Stefan,
> 
> Are you using the updated config.  The latest app layer change has
> modified the config -
> 
> http://www.poona.me/2014/01/suricata-app-layer-changes-new-keyword.html
> 
> On Wed, Jan 15, 2014 at 4:42 PM, Stefan Sabolowitsch
> <Stefan.Sabolowitsch at felten-group.com> wrote:
>> Hi Anoop,
>> sorry for the delay but here is the debug output.
>> 
>> 22950] 15/1/2014 -- 11:05:28 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/emerging-icmp.rules
>> [22950] 15/1/2014 -- 11:05:29 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/emerging-virus.rules
>> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 2
>> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 4
>> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 5
>> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 7
>> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 9
>> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 11
>> [22950] 15/1/2014 -- 11:05:32 - (detect-app-layer-event.c:232) <Error> (DetectAppLayerEventSetupP2) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - App layer event setup phase2 failure.
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)" from file /etc/nsm/Serrig-DMZ/rules/dns-events.rules at line 13
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:406) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/nsm/Serrig-DMZ/rules/dns-events.rules
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:453) <Info> (SigLoadSignatures) -- 50 rule files processed. 14414 rules successfully loaded, 7 rules failed
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:2569) <Info> (SigAddressPrepareStage1) -- 14422 signatures processed. 1283 are IP-only rules, 3888 are inspecting packet payload, 10693 inspect application layer, 76 are decoder event only
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:2572) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
>> [22950] 15/1/2014 -- 11:05:32 - (detect.c:3195) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
>> [22950] 15/1/2014 -- 11:05:38 - (detect.c:3837) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
>> 
>> 
>> 
>> 
>> Am 13.01.2014 um 15:46 schrieb Anoop Saldanha <anoopsaldanha at gmail.com>:
>> 
>>> Hi Stefan,
>>> 
>>> I have submitted a PR https://github.com/inliniac/suricata/pull/763
>>> that should help you zero in on the offending rule(by printing the
>>> rule to the console, rather than put out a core dump).
>>> 
>>> You can either apply the patch or wait for it to pushed.
>>> 
>>> On Mon, Jan 13, 2014 at 6:58 PM, Stefan Sabolowitsch
>>> <Stefan.Sabolowitsch at felten-group.com> wrote:
>>>> Hi Anoop,
>>>> any news here (with my rules) ?
>>>> 
>>>> Best regards
>>>> Stefan
>>>> 
>>>> Am 11.01.2014 um 03:15 schrieb Anoop Saldanha <anoopsaldanha at gmail.com>:
>>>> 
>>>>> On Fri, Jan 10, 2014 at 10:02 PM, Stefan Sabolowitsch
>>>>> <Stefan.Sabolowitsch at felten-group.com> wrote:
>>>>>> Hi all,
>>>>>> have here multiple suri instances running, but after latest git only „one“ instance will running all other failed with this message
>>>>>> 
>>>>>> suricata: detect-app-layer-event.c:152: DetectAppLayerEventParseAppP2: Assertion `!(1)' failed.
>>>>>> 
>>>>> 
>>>>> Could you post the rule in question(privately if you want to).
>>>>> 
>>>>> --
>>>>> -------------------------------
>>>>> Anoop Saldanha
>>>>> http://www.poona.me
>>>>> -------------------------------
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> -------------------------------
>>> Anoop Saldanha
>>> http://www.poona.me
>>> -------------------------------
>>> 
>> 
>> 
> 
> 
> 
> -- 
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
>

More information about the Oisf-users mailing list