Project

General

Profile

Actions

Bug #2929

closed

error messages regarding byte jump and byte extract

Added by Victor Julien over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

From oisf-users:

We occasionally have had the following errors in our suricata.log, which have always been paired together, and I am having trouble tracking down the source of the errors.

{"timestamp":"2019-04-08T08:47:54.999844-0500","event_type":"engine","engine":{"error_code":62,"error":"SC_ERR_INVALID_NUM_BYTES","message":"Error extracting 0 bytes of string data: -1"}} {"timestamp":"2019-04-08T08:47:54.999727-0500","event_type":"engine","engine":{"error_code":61,"error":"SC_ERR_NUMERIC_VALUE_ERANGE","message":"Numeric value out of range"}}

We started seeing these after we switched over to using the 4.x rules from Emerging Threats from the 3.x set.

I tried looking at common alerts during these times, and did find at least one, but this particular rule fires often enough that we see a hit on it once per second so it seems like it could be a coincidence.

I am also not sure that there would be an alert logged in the situations where we run into these errors since this may prevent a match from occurring.

I looked through the Suricata source code for hints. I believe this would be reached from using the isdataat keyword in rules but am not certain that is the only way to reach this.

Does anyone have suggestions on where to go from here? I am trying to avoid enabling debug across all instances of Suricata we have.

Actions

Also available in: Atom PDF