[Oisf-users] SC_ERR_BYTE_EXTRACT_FAILED

Victor Julien lists at inliniac.net
Mon Dec 14 17:30:41 UTC 2015




On 14-12-15 17:08, Andreas Herz wrote:
> On 13/12/15 at 13:06, Duane Howard wrote:
>> So, it's running on live traffic as a test system, and I can't move the 3.0
>> RC2 just yet as we're still working on a bunch of transition stuff to get
>> away from Snort. I do have full packet capture on the box, however the
>> error message doesn't tell me anything about the session where the error
>> occurred.
>> Is there a way to turn up the verbosity of this log so that I can go
>> extract the offending session and test that pcap directly?
> 
> Not the perfect idea but since you got the timestamp you might be able
> to narrow it down to a smaller pcap file.
> 
>> On Sun, Dec 13, 2015 at 11:50 AM, Andreas Herz <andi at geekosphere.org> wrote:
>>
>>> On 07/12/15 at 15:01, Duane Howard wrote:
>>>> I'm periodically seeing:
>>>> suricata[12489]: 7/12/2015 -- 18:51:15 - <Error> - [ERRCODE:
>>>> SC_ERR_BYTE_EXTRACT_FAILED(128)] - Error extracting 8 bytes of string
>>> data:
>>>> -1

As a matter of policy, no traffic should be able to create/trigger
output. Especially not since we have no rate limiting in place. So this
case can be fixed w/o a test case, we just need to suppress the output.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list