I have updated to net-analyzer/suricata-3.1 from previous version 3.0.1 and have net-libs/libhtp-0.5.18 installed (as I see, latest upstream version is 0.5.20). Here is the suricata start log I have now: ... Jul 2 12:16:37 totoro suricata[2587]: 2/7/2016 -- 12:16:37 - <Notice> - This is Suricata version 3.1 RELEASE Jul 2 12:16:37 totoro suricata[2587]: 2/7/2016 -- 12:16:37 - <Info> - CPUs/cores online: 4 Jul 2 12:16:37 totoro suricata[2587]: 2/7/2016 -- 12:16:37 - <Warning> - [ERRCODE: SC_WARN_OUTDATED_LIBHTP(202)] - can't set response-body-decompress-layer-limit to 2, libhtp version too old Jul 2 12:16:37 totoro suricata[2587]: 2/7/2016 -- 12:16:37 - <Info> - NFQ running in standard ACCEPT/DROP mode Jul 2 12:16:37 totoro suricata[2588]: 2/7/2016 -- 12:16:37 - <Info> - Loading rule file: /etc/suricata/rules/local.rules ... Jul 2 12:16:43 totoro suricata[2588]: 2/7/2016 -- 12:16:43 - <Info> - Loading rule file: /etc/suricata/rules/app-layer-events.rules Jul 2 12:16:43 totoro suricata[2588]: 2/7/2016 -- 12:16:43 - <Info> - 48 rule files processed. 17537 rules successfully loaded, 0 rules failed Jul 2 12:16:44 totoro suricata[2588]: 2/7/2016 -- 12:16:44 - <Info> - 17545 signatures processed. 447 are IP-only rules, 5912 are inspecting packet payload, 13457 inspect application layer, 76 are decoder event only Jul 2 12:16:45 totoro suricata[2588]: 2/7/2016 -- 12:16:45 - <Info> - Threshold config parsed: 0 rule(s) found Jul 2 12:16:45 totoro suricata[2588]: 2/7/2016 -- 12:16:45 - <Info> - dropped the caps for main thread Jul 2 12:16:45 totoro suricata[2588]: 2/7/2016 -- 12:16:45 - <Info> - Syslog output initialized Jul 2 12:16:45 totoro suricata[2588]: 2/7/2016 -- 12:16:45 - <Info> - binding this thread 0 to queue '1' Jul 2 12:16:45 totoro suricata[2588]: 2/7/2016 -- 12:16:45 - <Info> - setting queue length to 4096 Jul 2 12:16:45 totoro suricata[2588]: 2/7/2016 -- 12:16:45 - <Info> - setting nfnl bufsize to 6144000 Jul 2 12:16:45 totoro suricata[2588]: 2/7/2016 -- 12:16:45 - <Notice> - all 6 packet processing threads, 2 management threads initialized, engine started. ... I am just worry about "[ERRCODE: SC_WARN_OUTDATED_LIBHTP(202)]" line, looks like net-analyzer/suricata-3.1 need libhtp-0.5.19 or libhtp-0.5.20 (that not in portage at all) in order to function proper. For now, even if I set response-body-decompress-layer-limit in suricata config to 0 - disable - I still have this error message in log. Reproducible: Always
The configure.ac says >=libhtp-0.5.5. They bundle 0.5.20. Might be worth filing an upstream bug to see if they think that they should update the configure.ac https://redmine.openinfosecfoundation.org/projects/suricata/issues?set_filter=1&tracker_id=1
https://redmine.openinfosecfoundation.org/issues/1839
This is fixed by upstream in 3.1.1.
See https://bugs.gentoo.org/show_bug.cgi?id=595524
Latest suricata needs libhtp-0.5.20, so we've to wait for that version in portage. After that I'll push suricata update. Thank you
Latest suricata pushed into the tree.
