Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enabled Snort and Suricata Disabled?

    IDS/IPS
    2
    7
    503
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nasheayahu
      last edited by

      System: Netgate 2100
      Version:
      23.09.1-RELEASE (arm64)
      built on Wed Dec 6 13:22:00 MST 2023
      FreeBSD 14.0-CURRENT

      I want to evaluate Snort, because I keep getting this from Suricata:

      [22-Mar-2024 12:46:26 America/Denver] PHP Fatal error:  Uncaught ValueError: date_create_from_format(): Argument #2 ($datetime) must not contain any null bytes in /usr/local/www/widgets/widgets/suricata_alerts.widget.php:188
Stack trace:
#0 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(188): date_create_from_format('m/d/Y-H:i:s.u', '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...')
#1 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(78): suricata_widget_get_alerts()
#2 {main}
  thrown in /usr/local/www/widgets/widgets/suricata_alerts.widget.php on line 188

      Would I be able to disable Suricata, and run Snort or do I have to uninstall it first?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You can disable the Suricata interfaces and run Snort just fine.

        But before you do that, what version of Suricata are you running? That particular error should have been corrected with the 7.0.3_1 Suricata package version.

        And a new 7.0.4 package version was released last week (and that version should also have the same fix within it for that error).

        N 1 Reply Last reply Reply Quote 1
        • N
          nasheayahu @bmeeks
          last edited by

          @bmeeks said in Enabled Snort and Suricata Disabled?:

          And a new 7.0.4 package version was released last week

          Yea, I just notice that update today, and will give this one a run and see what happens. Thanks!...

          1 Reply Last reply Reply Quote 0
          • N
            nasheayahu
            last edited by nasheayahu

            Well, for some reason its just not working, maybe because of my Netgate Model, so I will test out Snort.....

            Crash report begins.  Anonymous machine information:

arm64
14.0-CURRENT
FreeBSD 14.0-CURRENT aarch64 1400094 #1 plus-RELENG_23_09_1-n256200-3de1e293f3a: Wed Dec  6 20:59:18 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/obj/aarch64/8ra4gn87/var/jenkins/workspace/pfSense-Plus-snapshots-23_

Crash report details:

PHP Errors:
[25-Mar-2024 14:48:32 America/Denver] PHP Fatal error:  Uncaught ValueError: date_create_from_format(): Argument #2 ($datetime) must not contain any null bytes in /usr/local/www/widgets/widgets/suricata_alerts.widget.php:188
Stack trace:
#0 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(188): date_create_from_format('m/d/Y-H:i:s.u', '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...')
#1 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(78): suricata_widget_get_alerts()
#2 {main}
  thrown in /usr/local/www/widgets/widgets/suricata_alerts.widget.php on line 188
            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @nasheayahu
              last edited by

              @nasheayahu:
              What version of the Suricata package is installed on your system? Is it 7.0.3_1 or 7.0.4, or something lower? I specifically fixed that bug in the Suricata Dashboard Widget code back in the 7.0.3 package update.

              N 1 Reply Last reply Reply Quote 0
              • N
                nasheayahu @bmeeks
                last edited by nasheayahu

                @bmeeks said in Enabled Snort and Suricata Disabled?:

                What version of the Suricata package is installed on your system?
                Screenshot_20240325_221429.png

                Is there another way to verify the version installed?

                Also, note, I'm running pfSense with Suricate 7.0.4 in a virtual lab on a openSUSE Leap 15.5 Host Server, and its running fine, and no widget crashes.

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @nasheayahu
                  last edited by

                  @nasheayahu said in Enabled Snort and Suricata Disabled?:

                  @bmeeks said in Enabled Snort and Suricata Disabled?:

                  What version of the Suricata package is installed on your system?
                  Screenshot_20240325_221429.png

                  Is there another way to verify the version installed?

                  Also, note, I'm running pfSense with Suricate 7.0.4 in a virtual lab on a openSUSE Leap 15.5 Host Server, and its running fine, and no widget crashes.

                  Hmm. That is the most recent version.

                  The error is caused by a blank line in the alerts.log file for the interface. I've never deteremined how the blank line happens, but one theory is maybe during log rotation.

                  You can do either of these to fix the Dashboard Widget problem:

                  1. Open the file /var/log/suricata/suricata_xxxxx/alerts.log in an editor and find and remove any blank lines in the file. The xxxxx part of the directory path will be the physical interface name and a UUID identifying the specific Suricata interface.
                  2. Go to the ALERTS tab and click the icon to clear out all alerts. That will erase the file and Suricata will start a new empty file.
                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post