[Oisf-users] Errors in Suricata.log - SC_ERR_NUMERIC_VALUE_ERANGE and SC_ERR_INVALID_NUM_BYTES
Eric Urban
eurban at umn.edu
Mon Apr 8 20:30:53 UTC 2019
We occasionally have had the following errors in our suricata.log, which
have always been paired together, and I am having trouble tracking down the
source of the errors.
{"timestamp":"2019-04-08T08:47:54.999844-0500","event_type":"engine","engine":{"error_code":62,"error":"SC_ERR_INVALID_NUM_BYTES","message":"Error
extracting 0 bytes of string data: -1"}}
{"timestamp":"2019-04-08T08:47:54.999727-0500","event_type":"engine","engine":{"error_code":61,"error":"SC_ERR_NUMERIC_VALUE_ERANGE","message":"Numeric
value out of range"}}
We started seeing these after we switched over to using the 4.x rules from
Emerging Threats from the 3.x set.
I tried looking at common alerts during these times, and did find at least
one, but this particular rule fires often enough that we see a hit on it
once per second so it seems like it could be a coincidence.
I am also not sure that there would be an alert logged in the situations
where we run into these errors since this may prevent a match from
occurring.
I looked through the Suricata source code for hints. I believe this would
be reached from using the isdataat keyword in rules but am not certain that
is the only way to reach this.
Does anyone have suggestions on where to go from here? I am trying to
avoid enabling debug across all instances of Suricata we have.
Thank you,
Eric
--
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190408/58ce3e75/attachment.html>
More information about the Oisf-users
mailing list