[Oisf-users] SC_ERR_BYTE_EXTRACT_FAILED

Andreas Herz andi at geekosphere.org
Mon Dec 14 16:08:07 UTC 2015


On 13/12/15 at 13:06, Duane Howard wrote:
> So, it's running on live traffic as a test system, and I can't move the 3.0
> RC2 just yet as we're still working on a bunch of transition stuff to get
> away from Snort. I do have full packet capture on the box, however the
> error message doesn't tell me anything about the session where the error
> occurred.
> Is there a way to turn up the verbosity of this log so that I can go
> extract the offending session and test that pcap directly?

Not the perfect idea but since you got the timestamp you might be able
to narrow it down to a smaller pcap file.

> On Sun, Dec 13, 2015 at 11:50 AM, Andreas Herz <andi at geekosphere.org> wrote:
> 
> > On 07/12/15 at 15:01, Duane Howard wrote:
> > > I'm periodically seeing:
> > > suricata[12489]: 7/12/2015 -- 18:51:15 - <Error> - [ERRCODE:
> > > SC_ERR_BYTE_EXTRACT_FAILED(128)] - Error extracting 8 bytes of string
> > data:
> > > -1
> > >
> > > Is this interesting for debugging. If yes, is there a way to log the
> > stream
> > > causing this to provide additional information?
> >
> > Can you reproduce it?
> > Then it would be the best to use tcpdump or similiar tools to create a
> > pcap.
> >
> > You could also try 3.0RC2 to see if it's already gone in the newest
> > version
> >
> > --
> > Andreas Herz
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> > http://oisfevents.net

-- 
Andreas Herz



More information about the Oisf-users mailing list