[Oisf-users] htp_connp_req_consolidate_data fail

Cloherty, Sean E scloherty at mitre.org
Thu Oct 27 20:40:29 UTC 2016 

So I've played with settings on the server and this time instead of AF-PACKET in (IDS) workers mode, I got the same error in AF-PACKET using autofp.  

The only difference I've noticed is that the workers mode error pops up immediately following the " All AFP capture threads are running." Message in workers, but it take 5-10 minutes in AUTOFP before it comes up.

-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Cloherty, Sean E
Sent: Wednesday, October 19, 2016 09:02 AM
To: Victor Julien <lists at inliniac.net>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Error Message? htp_connp_req_consolidate_data fail

I doubt I'd be able to get a PCAP from that host, but I could possibly try on a test server.

The message comes up during the startup process so I am not even sure if it gets to the point where it is monitoring any flow yet.

I don't know if this is related but on hosts that show that error also have another symptom of note.  Once they've been running for a while at full load - maybe a couple of hours or so - they never shut down correctly.  The host will take forever after acknowledging the kill signal, then shutdown with this error:

[ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#05-ens1f1".  Killing engine

The only variant of this message is the number which follows the #.

-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Tuesday, October 18, 2016 17:49 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Error Message? htp_connp_req_consolidate_data fail

On 18-10-16 22:39, Cloherty, Sean E wrote:
> Has anyone come across this error?  I hadn’t noticed before but while 
> testing Suricata on the command line (without -D so I can look at the
> results) it popped up after I started.
> 
[...]

> 18/10/2016 -- 16:34:31 - <Info> - All AFP capture threads are running.
> 
> htp_connp_req_consolidate_data fail

Are you able to record a pcap that triggers this as well?

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net _______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net

More information about the Oisf-users mailing list