Suricata crash log
-
Are you running with Inline IPS Mode enabled or just Legacy Mode Blocking?
If you are running Legacy Mode, then try this edit to a file to see if it fixes the issue.
In file
/usr/local/www/suricata/suricata_alerts.php:Find the code below that starts on line 176 --
// REJECT forcing is only applicable to Inline IPS Mode if ($a_instance[$instanceid]['ips_mode'] == 'ips_mode_inline' ) { $rejectsid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_force_reject']); }and modify it to look like this --
// REJECT forcing is only applicable to Inline IPS Mode if ($a_instance[$instanceid]['ips_mode'] == 'ips_mode_inline' ) { $rejectsid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_force_reject']); } else { $rejectsid = array(); }Save the change and let me know how that works for you.
-
yes, it's in legacy mode.
i don't see any error / problem for the moment after editing the file, good work
-
@kiokoman said in Suricata crash log:
yes, it's in legacy mode.
i don't see any error / problem for the moment after editing the file, good work
Great! I will put this fix into the update I'm currently working on. It's more fallout from a change the PHP folks made upstream a version or so back when they stopped automatically initializing an "uninitialized" array when it was accessed. In this case, the $rejectsid array variable is initialized by the call to the suricata_load_sid_mods() function, but that call is skipped when Suricata is not using Inline IPS Mode. Then later on the code attempts to iterate the uninitialized array. My bad for not making sure the array is initialized before accessing it, but that PHP change sure causes a lot of programmer "oops" mistakes.
-
This problem should be fixed in the latest Suricata 4.1.4_5 package released for pfSense-2.5 snapshots.
-
yes i have upgraded as soon as i saw it available, the problem is solved
-
new crash today
Crash report begins. Anonymous machine information: amd64 12.0-RELEASE-p8 FreeBSD 12.0-RELEASE-p8 2ffab8b5708(RELENG_2_5) pfSense Crash report details: PHP Errors: [14-Aug-2019 06:00:56 Europe/Rome] PHP Warning: Use of undefined constant LOG_WARN - assumed 'LOG_WARN' (this will throw an Error in a future version of PHP) in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129 [14-Aug-2019 06:00:56 Europe/Rome] PHP Warning: syslog() expects parameter 1 to be int, string given in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129 No FreeBSD crash data found. -
Crap! That's another one I missed with the last change. Should say LOG_WARNING for the constant instead of LOG_WARN. I'll fix it in the next release since it is a non-fatal error (just a warning for now).
If you want to eliminate the warning message before I get a fix posted, go edit the file indicated and change the string LOG_WARN on line 129 to LOG_WARNING and save the change. The file is:
/usr/local/pkg/suricata/suricata_geoipupdate.php. -
done
Aug 15 13:12:41 php 38699 [Suricata] Checking for updated MaxMind GeoLite2 IP database file... Aug 15 13:12:41 php 38699 [Suricata] GeoLite2-Country IP database is up-to-date. Aug 15 13:12:41 php 38699 [Suricata] GeoLite2-Country database update check finished.no error
-
Thanks for the report. I entered the bug in my internal bug tracking system.
It was my fault for using the wrong string, but it's also darn confusing/frustrating the way the PHP creators chose to define these constants for the PHP
syslog()function. In half the instances they spell out the complete phrase, while in the other half they use an abbreviation. That leads me to kind of automatically default to assuming LOG_WARN in my head when typing, but the PHP folks actually defined it as LOG_WARNING. So the constants are defined like this:LOG_DEBUG
LOG_INFO
LOG_NOTICE
LOG_WARNING
LOG_ALERT
LOG_CRIT
LOG_ERR
LOG_EMERGNotice how they intermix abbreviations with the complete word. Four use abbreviations while the other four are fully written out. Makes it so easy to get it wrong when just coding away, and I did type it wrong in a bunch of places ...
. I guess I need to keep that list of defined constants in front of my face at all times.And to add insult to injury, I used
grepto search the source code files for instances of LOG_WARN and still managed to miss one ...
. -
@bmeeks
i had this today after upgrading pfsense 2.5 and reboot to the latest revisionCrash report begins. Anonymous machine information: amd64 12.0-RELEASE-p9 FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense Crash report details: PHP Errors: [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003 No FreeBSD crash data found. -
@kiokoman said in Suricata crash log:
@bmeeks
i had this today after upgrading pfsense 2.5 and reboot to the latest revisionCrash report begins. Anonymous machine information: amd64 12.0-RELEASE-p9 FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense Crash report details: PHP Errors: [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001 [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning: filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003 No FreeBSD crash data found.I just upgraded a test virtual machine to the same version without issue. Something went awry with your system during the update. Those errors indicate none of the rules files got created properly. I suggest you delete the package and install it again from the Package Manager menu.
If you have a RAM disk configured, be sure there is at least 256 MB of free space on /tmp.
