Bug #987
closeddefault config generates error(s)
Description
E.g. https://buildbot.suricata-ids.org/builders/pcap%20freebsd-x64/builds/240/steps/shell_10/logs/stdio
[100173] 2/10/2013 -- 23:51:15 - (app-layer-parser.c:2194) <Error> (AppLayerInsertNewProbingParser) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Duplicate pp registered [100173] 2/10/2013 -- 23:51:15 - (app-layer-parser.c:1622) <Info> (AppLayerProtoDetectionEnabled) -- Entry for app-layer.protocols.jabber.enabled not found.
2 problems here:
- the error isn't useful, it's unclear what action should be taken.
- default cfg shouldn't generate the error at all
Files
Updated by Anoop Saldanha about 11 years ago
Unable to reproduce duplicate pp registered message with default conf. I have improved the error message.
The second error message on jabber would be fixed.
Updated by Victor Julien about 11 years ago
Anoop Saldanha wrote:
Unable to reproduce duplicate pp registered message with default conf. I have improved the error message.
That is strange. If I checkout a fresh copy of the master, configure and build I already get it.
Updated by Anoop Saldanha about 11 years ago
- File suricata.yaml suricata.yaml added
Conf file attached.
The master as we speak -
commit 2953b3f6403e94874c0c7b19faf52706cff66138
Author: Jason Ish <jason.ish@emulex.com>
Date: Wed Oct 16 11:59:26 2013 -0600
Feature #901 - VLAN defrag support.
Take VLAN IDs into account when re-assembling fragments.
Prevents fragments that would otherwise match, but on different
VLANs from being reassembled with each other.
poona@poona_ws:~/development/oisf/repo/sandbox_task_197$ sudo suricata c ./suricata.yaml -S /dev/null -i lo 11:52:19 - (suricata.c:931) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev
[6091] 17/10/2013 -
[6091] 17/10/2013 -- 11:52:19 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 12
[6091] 17/10/2013 -- 11:52:19 - (util-ioctl.c:91) <Info> (GetIfaceMTU) -- Found an MTU of 16436 for 'lo'
[6091] 17/10/2013 -- 11:52:19 - (defrag-hash.c:209) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[6091] 17/10/2013 -- 11:52:19 - (defrag-hash.c:234) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 152
[6091] 17/10/2013 -- 11:52:19 - (defrag-hash.c:241) <Info> (DefragInitConfig) -- defrag memory usage: 13631336 bytes, maximum: 33554432
[6091] 17/10/2013 -- 11:52:19 - (tmqh-flow.c:76) <Info> (TmqhFlowRegister) -- AutoFP mode using default "Active Packets" flow load balancer
[6091] 17/10/2013 -- 11:52:19 - (tmqh-packetpool.c:141) <Info> (PacketPoolInit) -- preallocated 1024 packets. Total memory 19802112
[6091] 17/10/2013 -- 11:52:19 - (host.c:205) <Info> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
[6091] 17/10/2013 -- 11:52:19 - (host.c:228) <Info> (HostInitConfig) -- preallocated 1000 hosts of size 112
[6091] 17/10/2013 -- 11:52:19 - (host.c:230) <Info> (HostInitConfig) -- host memory usage: 390144 bytes, maximum: 16777216
[6091] 17/10/2013 -- 11:52:19 - (flow.c:386) <Info> (FlowInitConfig) -- allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
[6091] 17/10/2013 -- 11:52:19 - (flow.c:410) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 280
[6091] 17/10/2013 -- 11:52:19 - (flow.c:412) <Info> (FlowInitConfig) -- flow memory usage: 7074304 bytes, maximum: 33554432
[6091] 17/10/2013 -- 11:52:19 - (reputation.c:459) <Info> (SRepInit) -- IP reputation disabled
[6091] 17/10/2013 -- 11:52:19 - (util-classification-config.c:362) <Info> (SCClassConfParseFile) -- Added "35" classification types from the classification file
[6091] 17/10/2013 -- 11:52:19 - (util-reference-config.c:339) <Info> (SCRConfParseFile) -- Added "18" reference types from the reference.config file
[6091] 17/10/2013 -- 11:52:19 - (suricata.c:1720) <Info> (SetupDelayedDetect) -- Delayed detect disabled
[6091] 17/10/2013 -- 11:52:19 - (detect.c:422) <Info> (SigLoadSignatures) -- Loading rule file: /dev/null
[6091] 17/10/2013 -- 11:52:19 - (detect.c:428) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /dev/null
[6091] 17/10/2013 -- 11:52:19 - (detect.c:442) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
[6091] 17/10/2013 -- 11:52:19 - (detect.c:2581) <Info> (SigAddressPrepareStage1) -- 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
[6091] 17/10/2013 -- 11:52:19 - (detect.c:2584) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
[6091] 17/10/2013 -- 11:52:19 - (detect.c:3210) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
[6091] 17/10/2013 -- 11:52:19 - (detect.c:3852) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
[6091] 17/10/2013 -- 11:52:19 - (util-threshold-config.c:143) <Warning> (SCThresholdConfInitContext) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/etc/suricata//threshold.config": No such file or directory
[6091] 17/10/2013 -- 11:52:19 - (util-coredump-config.c:122) <Info> (CoredumpLoadConfig) -- Core dump size set to unlimited.
[6091] 17/10/2013 -- 11:52:19 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- fast output device (regular) initialized: fast.log
[6091] 17/10/2013 -- 11:52:19 - (alert-unified2-alert.c:1421) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename unified2.alert, limit 32 MB
[6091] 17/10/2013 -- 11:52:19 - (util-logopenfile.c:168) <Info> (SCConfLogOpenGeneric) -- http-log output device (regular) initialized: http.log
[6091] 17/10/2013 -- 11:52:19 - (util-runmodes.c:405) <Info> (RunModeSetLiveCaptureAutoFp) -- Using 1 live device(s).
[6092] 17/10/2013 -- 11:52:19 - (source-pcap.c:392) <Info> (ReceivePcapThreadInit) -- using interface lo
[6092] 17/10/2013 -- 11:52:19 - (source-pcap.c:397) <Info> (ReceivePcapThreadInit) -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
[6092] 17/10/2013 -- 11:52:19 - (util-ioctl.c:91) <Info> (GetIfaceMTU) -- Found an MTU of 16436 for 'lo'
[6092] 17/10/2013 -- 11:52:19 - (source-pcap.c:432) <Info> (ReceivePcapThreadInit) -- Set snaplen to 16450 for 'lo'
[6091] 17/10/2013 -- 11:52:19 - (runmode-pcap.c:355) <Info> (RunModeIdsPcapAutoFp) -- RunModeIdsPcapAutoFp initialised
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:374) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:390) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:396) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:402) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:419) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:441) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:454) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:472) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:490) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:573) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2452
[6091] 17/10/2013 -- 11:52:19 - (stream-tcp.c:575) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2494
[6091] 17/10/2013 -- 11:52:19 - (tm-threads.c:2192) <Notice> (TmThreadWaitOnThreadInit) -- all 19 packet processing threads, 3 management threads initialized, engine started.
This is weird. Are you using some other conf file?
Updated by Victor Julien about 11 years ago
Updated by Anoop Saldanha about 11 years ago
Victor Julien wrote:
I think you missed this https://github.com/poona/suricata/commit/d8839c5172581f98e2cc1981558ff70d669cce44#commitcomment-4275091
No, that's not for 987. But whatever that commit was supposed to fix has gone into the codebase, some how :)
Updated by Anoop Saldanha about 11 years ago
The jabber warning error -
[100173] 2/10/2013 -- 23:51:15 - (app-layer-parser.c:1622) <Info> (AppLayerProtoDetectionEnabled) -- Entry for app-layer.protocols.jabber.enabled not found.
is fixed by https://github.com/inliniac/suricata/pull/584 and specifically by commit
https://github.com/poona/suricata/commit/b24fb72247992e63586b4e9926ce35ce2904caaf
This leaves us with the Duplicate PP warning message, which I'm unable to reproduce with the stock conf. Boot_log/yaml attached above.
Updated by Victor Julien about 11 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
I see what we've been confusing 2 things in this report and the discussion on github. I should have never added the jabber info message to it. The report was meant be about the duplicate pp error only. The other message is info, so neither error nor warning. Both messages are gone now, so closing.