[Oisf-users] SC_ERR_BYTE_EXTRACT_FAILED

Duane Howard duane.security at gmail.com
Sun Dec 13 21:06:01 UTC 2015


So, it's running on live traffic as a test system, and I can't move the 3.0
RC2 just yet as we're still working on a bunch of transition stuff to get
away from Snort. I do have full packet capture on the box, however the
error message doesn't tell me anything about the session where the error
occurred.
Is there a way to turn up the verbosity of this log so that I can go
extract the offending session and test that pcap directly?

On Sun, Dec 13, 2015 at 11:50 AM, Andreas Herz <andi at geekosphere.org> wrote:

> On 07/12/15 at 15:01, Duane Howard wrote:
> > I'm periodically seeing:
> > suricata[12489]: 7/12/2015 -- 18:51:15 - <Error> - [ERRCODE:
> > SC_ERR_BYTE_EXTRACT_FAILED(128)] - Error extracting 8 bytes of string
> data:
> > -1
> >
> > Is this interesting for debugging. If yes, is there a way to log the
> stream
> > causing this to provide additional information?
>
> Can you reproduce it?
> Then it would be the best to use tcpdump or similiar tools to create a
> pcap.
>
> You could also try 3.0RC2 to see if it's already gone in the newest
> version
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151213/7cb9b581/attachment-0002.html>


More information about the Oisf-users mailing list