[Oisf-users] Error Message? htp_connp_req_consolidate_data fail

[Cloherty, Sean E]

I doubt I'd be able to get a PCAP from that host, but I could possibly try on a test server.

The message comes up during the startup process so I am not even sure if it gets to the point where it is monitoring any flow yet.

I don't know if this is related but on hosts that show that error also have another symptom of note.  Once they've been running for a while at full load - maybe a couple of hours or so - they never shut down correctly.  The host will take forever after acknowledging the kill signal, then shutdown with this error:

[ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "W#05-ens1f1".  Killing engine

The only variant of this message is the number which follows the #.

-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Tuesday, October 18, 2016 17:49 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Error Message? htp_connp_req_consolidate_data fail

On 18-10-16 22:39, Cloherty, Sean E wrote:
> Has anyone come across this error?  I hadn’t noticed before but while 
> testing Suricata on the command line (without -D so I can look at the
> results) it popped up after I started.
> 
[...]

> 18/10/2016 -- 16:34:31 - <Info> - All AFP capture threads are running.
> 
> htp_connp_req_consolidate_data fail

Are you able to record a pcap that triggers this as well?

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net