Suricata

From oisf-users:

We occasionally have had the following errors in our suricata.log, which have always been paired together, and I am having trouble tracking down the source of the errors.

{"timestamp":"2019-04-08T08:47:54.999844-0500","event_type":"engine","engine":{"error_code":62,"error":"SC_ERR_INVALID_NUM_BYTES","message":"Error extracting 0 bytes of string data: -1"}} {"timestamp":"2019-04-08T08:47:54.999727-0500","event_type":"engine","engine":{"error_code":61,"error":"SC_ERR_NUMERIC_VALUE_ERANGE","message":"Numeric value out of range"}}

We started seeing these after we switched over to using the 4.x rules from Emerging Threats from the 3.x set.

I tried looking at common alerts during these times, and did find at least one, but this particular rule fires often enough that we see a hit on it once per second so it seems like it could be a coincidence.

I am also not sure that there would be an alert logged in the situations where we run into these errors since this may prevent a match from occurring.

I looked through the Suricata source code for hints. I believe this would be reached from using the isdataat keyword in rules but am not certain that is the only way to reach this.

Does anyone have suggestions on where to go from here? I am trying to avoid enabling debug across all instances of Suricata we have.